tag:blogger.com,1999:blog-2419284614709488194Wed, 23 May 2018 07:52:38 +0000tips&tricksoperating systemscybersecurityOS XhackingtroubleshootingpentestingsoftwareWindowsreviewLinuxKali LinuxInternetWindows 10MicrosoftsecuritygeneralvirtualizationMavericksYosemitenetworkinghacksmisconceptionsAbout MeBetaITdummieshowtobrowserEl CapitanWindows 7browser add-oninstallationprivacyAppleFirefoxVirtualBoxWindows 8.1malware removalpart 1part 2ransomwarewebblogginggiveawayguideintrusion detectionopen-sourcepasswordprogrammingshelltutorialupgradeusb bootable installerwifiGoogleGoogle DriveUSBantimalwareblogcomputer maintenanceforensicsfreewareiMacmacOSpart 3previewsocial mediatouchscreenupdatevideovirtual machineBitdefender Antivirus for MacChromeDropboxEvernoteInternet of ThingsPre-ReleaseRecovery ModeSafariTop 10UNIXUbuntu 13.10Windows XPYosemite Beta 2add-onsantiviruscloudencryptionmistakesproductivitytop 6 free tools10.10.310.10.410.10.55 quick hacks5 ways6 hidden hacksAutomatorBlue Screen Of DeathClamXavCommand PromptDesktop SupportDisk UtilityDragon DictateFlashGmailGod ModeGoogle Music ManagerHTTPSInternet ExplorerInternet toolbarsLastPassLinkedInMalwareByte's AntiMalwareOffice Beta for Mac 2016OnyxOperaOpera browserParallels DesktopPuppy LinuxRacySierraTwitterURL shortenersURL unshortenersVLCVMwareVMware Playeranonymityanti-spywarebackupbenchmarkingbloggerscleanerscloningcoursecustomizationcybeersecuritycyberpunkeBookeCommerceend of lifehardwareiWorkindexjunk softwarekitmobilepart 4password managerpemtestingperformancephishingpiracyportablepromotionsrisk managementsearchsneak peekspeech recognitiontipstoolsvideo playbackwebmailThe S@vvy_Geek Tips Tech BlogStraightforward computer tutorials, quality professional content.
I review only the software I test myself.
Press release doesn't belong here.http://savvygeektips.blogspot.com/noreply@blogger.com (Mattia Campagnano)Blogger281125blogspot/HLRhIhttps://feedburner.google.comtag:blogger.com,1999:blog-2419284614709488194.post-530349080889727197Wed, 18 Apr 2018 02:06:00 +00002018-04-17T22:16:37.652-04:00hackingpentestingtips&tricksTips for an Information Security Analyst/Pentester career - Ep. 60: Pivoting attack<div class="ennote"><div>This post follows up from <a href="https://savvygeektips.blogspot.com/2017/12/tips-for-information-security_14.html">Tips for an Information Security Analyst/Pentester career - Ep. 47: Post-exploitation (pt. 3)</a>, where I had tried to perform a pivoting attack, but I had failed.</div><div><br /></div><div>This time I'm going to show you how to perform a successful attack.</div><div><br /></div><div><a href="https://en.wikipedia.org/wiki/Exploit_(computer_security)">Pivoting attacks</a> are part of the post-exploitation stage.</div><div><br /></div><div>In other words, after compromising a target, you can use that target as a bridgehead to reach other networks, that might be otherwise unreachable directly from the attacking machine.<br /><br /></div><iframe allow="autoplay; encrypted-media" allowfullscreen="" frameborder="0" height="315" src="https://www.youtube.com/embed/-N8iyFCVw98" width="560"></iframe> <br /><div><br /></div><div><span style="font-style: italic;">Network configuration</span></div><div><br /></div><div>In this specific case, we're going to have the following network configuration:&nbsp;</div><div><a href="http://4.bp.blogspot.com/-atOFHuRAPjA/WtameLO7HBI/AAAAAAAAGI8/ONkiGKSdMq09FGOPCbBHgOxSKqDiR421gCK4BGAYYCw/s1600/786464f1632814b368e55f6092f51642-758734.png"><img alt="" border="0" height="640" id="BLOGGER_PHOTO_ID_6545602145771265042" src="https://4.bp.blogspot.com/-atOFHuRAPjA/WtameLO7HBI/AAAAAAAAGI8/ONkiGKSdMq09FGOPCbBHgOxSKqDiR421gCK4BGAYYCw/s640/786464f1632814b368e55f6092f51642-758734.png" width="406" /></a></div><div>Therefore, we can access the vulnerable XP machine only through LAN interface 2 in Windows 7.</div><div><br /></div><div><br /></div><div><span style="font-style: italic;">Windows 7 attack (from Kali to Windows 7)</span></div><div><br /></div><div>I'm going to perform the same steps explained in my previous post&nbsp;<a href="https://savvygeektips.blogspot.com/2017/11/tips-for-information-security_30.html"> Tips for an Information Security Analyst/Pentester career - Ep. 42: Client-side attacks (pt. 3</a>) but this time I need to change the IP address for the Kali machine to 192.168.1.107.</div><div><br /></div><div>I run the malicious Winamp Rocketship skin and get a shell.</div><div><a href="http://2.bp.blogspot.com/--gAODHMv5I0/WtamemoLnJI/AAAAAAAAGJE/qViu6CkE5D4VjZDndYC7S1iLzOOUba8-ACK4BGAYYCw/s1600/9598504f50b775f07c481b637378fe88-762008.png"><img alt="" border="0" height="412" id="BLOGGER_PHOTO_ID_6545602153124961426" src="https://2.bp.blogspot.com/--gAODHMv5I0/WtamemoLnJI/AAAAAAAAGJE/qViu6CkE5D4VjZDndYC7S1iLzOOUba8-ACK4BGAYYCw/s640/9598504f50b775f07c481b637378fe88-762008.png" width="640" /></a></div><div><br /></div><div>We're within our Windows 7 machine, as proven by the output of the sysinfo command.</div><div><br /></div><div><a href="http://4.bp.blogspot.com/-oKyUAgJsRts/Wtame-8ISAI/AAAAAAAAGJM/hIEF0EFTpqAWvYM6MLbfkZnqbJ-v-h1NgCK4BGAYYCw/s1600/ae78f5a6d17d2ae1b2a352cfa5a55878-763023.png"><img alt="" border="0" height="166" id="BLOGGER_PHOTO_ID_6545602159651080194" src="https://4.bp.blogspot.com/-oKyUAgJsRts/Wtame-8ISAI/AAAAAAAAGJM/hIEF0EFTpqAWvYM6MLbfkZnqbJ-v-h1NgCK4BGAYYCw/s640/ae78f5a6d17d2ae1b2a352cfa5a55878-763023.png" width="640" /></a></div><div><br /></div><div>We know this Windows 7 VM is multi-homed, as it has two different network cards, one of which is connected to an internal subnet unreachable from Kali.</div><div><br /></div><div>The <i><b>get_local_subnets</b></i> meterpreter script allows us to display all local subnets found.</div><div><br /></div><div><a href="http://3.bp.blogspot.com/-30x7xGPFtOY/Wtame9urVNI/AAAAAAAAGJU/-kWZ0Zi4SvcmZ0wTSUEiMCUIlBsBf7D0gCK4BGAYYCw/s1600/4c6ef7de7c4b6a2fbc770b99707d7330-763858.png"><img alt="" border="0" height="116" id="BLOGGER_PHOTO_ID_6545602159326221522" src="https://3.bp.blogspot.com/-30x7xGPFtOY/Wtame9urVNI/AAAAAAAAGJU/-kWZ0Zi4SvcmZ0wTSUEiMCUIlBsBf7D0gCK4BGAYYCw/s640/4c6ef7de7c4b6a2fbc770b99707d7330-763858.png" width="640" /></a></div><div><br /></div><div>At this point, we need to add a manual route to the 172.16.137.0/28 subnet, so we can grab the network traffic from it.</div><div><br /></div><div>Notice that this subnet is reachable by leveraging sessions 3, that's already open in Meterpreter.</div><div><br /></div><div><a href="http://4.bp.blogspot.com/-IN4Ogut1Vks/WtamfWz25JI/AAAAAAAAGJc/Ow_QqJSGFaohdbwBTh_Ro1eoTL4Tae5vACK4BGAYYCw/s1600/47fda5ac0ab1f330f8fe142cdcf6d632-765122.png"><img alt="" border="0" height="322" id="BLOGGER_PHOTO_ID_6545602166058837138" src="https://4.bp.blogspot.com/-IN4Ogut1Vks/WtamfWz25JI/AAAAAAAAGJc/Ow_QqJSGFaohdbwBTh_Ro1eoTL4Tae5vACK4BGAYYCw/s640/47fda5ac0ab1f330f8fe142cdcf6d632-765122.png" width="640" /></a></div><div><br /></div><div><span style="font-style: italic;">Pivoting (from Windows 7 to Windows XP)</span></div><div><br /></div><div>For the pivoting attack to succeed, we need a remote exploit.</div><div><br /></div><div>My XP SP2 machine is vulnerable to the <a href="https://www.rapid7.com/db/modules/exploit/windows/smb/ms08_067_netapi">smb08_067 exploit,</a> and that's why it can be reached but in an internal network.</div><div><br /></div><div>We can't reach XP directly from Kali, but we can attack it from Windows 7, as it communicates on the same subnet.</div><div><br /></div><div>Let's now configure and launch the attack.</div><div><br /></div><div>We need to use a <span style="font-weight: bold;">meterpreter bind shell</span>, because a reverse shell wouldn't be able to reach back to Kali.</div><div><br /></div><div>The attack is successful and we were able to pivot into a new machine on the 172.16.137.0/28 subnet.</div><div><br /></div><div><span style="font-style: italic;">(More details in the embedded video</span>).</div><div><br /></div><div><a href="http://4.bp.blogspot.com/-A5TZ3oVcgf0/WtamfstpTuI/AAAAAAAAGJk/xKikS2FQJZ0oBbydBWTMoqOTSyEtJYk5gCK4BGAYYCw/s1600/77951599f10490067afa27ce5177c0a4-766200.png"><img alt="" border="0" height="408" id="BLOGGER_PHOTO_ID_6545602171938361058" src="https://4.bp.blogspot.com/-A5TZ3oVcgf0/WtamfstpTuI/AAAAAAAAGJk/xKikS2FQJZ0oBbydBWTMoqOTSyEtJYk5gCK4BGAYYCw/s640/77951599f10490067afa27ce5177c0a4-766200.png" width="640" /></a></div><div><br /></div><div><br /></div><div><a href="http://2.bp.blogspot.com/-2fqy4dXqHVE/Wtamf1bmLpI/AAAAAAAAGJs/5HEcScKssvYji3UHJbFGgNQjETk5PDufQCK4BGAYYCw/s1600/7985d775bc681396e7f7adae1332c60f-767281.png"><img alt="" border="0" height="184" id="BLOGGER_PHOTO_ID_6545602174278577810" src="https://2.bp.blogspot.com/-2fqy4dXqHVE/Wtamf1bmLpI/AAAAAAAAGJs/5HEcScKssvYji3UHJbFGgNQjETk5PDufQCK4BGAYYCw/s640/7985d775bc681396e7f7adae1332c60f-767281.png" width="640" /></a></div><div><br /></div><div>We can also use port forwarding to access the <i>minishare</i> server on XP and have a look at the files stored there.</div><div><a href="http://2.bp.blogspot.com/-XCWvBO2F_L0/WtamgApRTAI/AAAAAAAAGJ0/EVjWVhpiUU8Gx02QMZB9jbCKYQETtoh7QCK4BGAYYCw/s1600/3d5e0edddbb4e125c48a507c94fd7393-768392.png"><img alt="" border="0" id="BLOGGER_PHOTO_ID_6545602177288719362" src="https://2.bp.blogspot.com/-XCWvBO2F_L0/WtamgApRTAI/AAAAAAAAGJ0/EVjWVhpiUU8Gx02QMZB9jbCKYQETtoh7QCK4BGAYYCw/s320/3d5e0edddbb4e125c48a507c94fd7393-768392.png" /></a></div><div><br /></div><div><a href="http://4.bp.blogspot.com/-zsZdhoD2boM/WtamgjHlN4I/AAAAAAAAGJ8/Pbt7cJf8krMprzMKqCxFJcVfSioMifovQCK4BGAYYCw/s1600/9f11b718d618365a90d6c2191a1d3f3e-769951.png"><img alt="" border="0" height="372" id="BLOGGER_PHOTO_ID_6545602186542659458" src="https://4.bp.blogspot.com/-zsZdhoD2boM/WtamgjHlN4I/AAAAAAAAGJ8/Pbt7cJf8krMprzMKqCxFJcVfSioMifovQCK4BGAYYCw/s640/9f11b718d618365a90d6c2191a1d3f3e-769951.png" width="640" /></a></div><div><br /></div><div><span style="font-style: italic;">Wrap-up</span></div><div><br /></div><div>Pivoting attacks can be very dangerous and lead to the exploitation of a whole network if security best practices and efficient segmentation are not in place.</div><div><br /></div><div>Such an old machine shouldn't be run in a production environment, regardless of the fact it's not accessible from the Internet.</div><div><br /></div><div>This internal network could be, for example, on the DMZ and, once we'd broken into that, we could successfully get on the domain controller and pwn the network.</div><div><br /></div><div>I plan to add a Windows Server 2003 to this configuration and create a whole internal network of vulnerable machines within that specific subnet.</div><div><br /></div><div>There are always ways to get in, in fact, as I just showed you.</div><div><br /></div></div><div class="blogger-post-footer"><hr />
<a href="http://savvygeektips.blogspot.com>One Tip A Day Tech Blog</a></div><div class="feedflare">
<a href="http://feeds.feedburner.com/~ff/blogspot/HLRhI?a=OaUgsIN0mZA:mOCtT40bFqY:yIl2AUoC8zA"><img src="http://feeds.feedburner.com/~ff/blogspot/HLRhI?d=yIl2AUoC8zA" border="0"></img></a> <a href="http://feeds.feedburner.com/~ff/blogspot/HLRhI?a=OaUgsIN0mZA:mOCtT40bFqY:63t7Ie-LG7Y"><img src="http://feeds.feedburner.com/~ff/blogspot/HLRhI?d=63t7Ie-LG7Y" border="0"></img></a> <a href="http://feeds.feedburner.com/~ff/blogspot/HLRhI?a=OaUgsIN0mZA:mOCtT40bFqY:dnMXMwOfBR0"><img src="http://feeds.feedburner.com/~ff/blogspot/HLRhI?d=dnMXMwOfBR0" border="0"></img></a> <a href="http://feeds.feedburner.com/~ff/blogspot/HLRhI?a=OaUgsIN0mZA:mOCtT40bFqY:F7zBnMyn0Lo"><img src="http://feeds.feedburner.com/~ff/blogspot/HLRhI?i=OaUgsIN0mZA:mOCtT40bFqY:F7zBnMyn0Lo" border="0"></img></a> <a href="http://feeds.feedburner.com/~ff/blogspot/HLRhI?a=OaUgsIN0mZA:mOCtT40bFqY:7Q72WNTAKBA"><img src="http://feeds.feedburner.com/~ff/blogspot/HLRhI?d=7Q72WNTAKBA" border="0"></img></a> <a href="http://feeds.feedburner.com/~ff/blogspot/HLRhI?a=OaUgsIN0mZA:mOCtT40bFqY:V_sGLiPBpWU"><img src="http://feeds.feedburner.com/~ff/blogspot/HLRhI?i=OaUgsIN0mZA:mOCtT40bFqY:V_sGLiPBpWU" border="0"></img></a> <a href="http://feeds.feedburner.com/~ff/blogspot/HLRhI?a=OaUgsIN0mZA:mOCtT40bFqY:qj6IDK7rITs"><img src="http://feeds.feedburner.com/~ff/blogspot/HLRhI?d=qj6IDK7rITs" border="0"></img></a> <a href="http://feeds.feedburner.com/~ff/blogspot/HLRhI?a=OaUgsIN0mZA:mOCtT40bFqY:gIN9vFwOqvQ"><img src="http://feeds.feedburner.com/~ff/blogspot/HLRhI?i=OaUgsIN0mZA:mOCtT40bFqY:gIN9vFwOqvQ" border="0"></img></a> <a href="http://feeds.feedburner.com/~ff/blogspot/HLRhI?a=OaUgsIN0mZA:mOCtT40bFqY:TzevzKxY174"><img src="http://feeds.feedburner.com/~ff/blogspot/HLRhI?d=TzevzKxY174" border="0"></img></a>
</div><img src="http://feeds.feedburner.com/~r/blogspot/HLRhI/~4/OaUgsIN0mZA" height="1" width="1" alt=""/>http://feedproxy.google.com/~r/blogspot/HLRhI/~3/OaUgsIN0mZA/tips-for-information-security_17.htmlnoreply@blogger.com (Mattia Campagnano)0http://savvygeektips.blogspot.com/2018/04/tips-for-information-security_17.htmltag:blogger.com,1999:blog-2419284614709488194.post-4648277084931550746Tue, 10 Apr 2018 16:51:00 +00002018-04-14T10:39:37.596-04:00cybersecurityhackingpentestingTips for an Information Security Analyst/Pentester career - Ep. 59: Blue team action<div class="ennote"><div>What is being a blue teamer all about?</div><div><br /></div><div>I don't like theoretical blah blah, so in this post I'm trying to give you a realistic flavor of what a blue teamer's work is all about.</div><div><br /></div><div>I'm going to use&nbsp;<a href="https://www.alienvault.com/products/usm-anywhere/demo">AlienVault USM Anywhere Online Demo </a>to explain you what being a blue teamer feels, at least partly, like.<br /><br /></div><iframe allow="autoplay; encrypted-media" allowfullscreen="" frameborder="0" height="315" src="https://www.youtube.com/embed/J3ZEYYY4pZk" width="560"></iframe> <br /><div><br /></div><div>So, what does a blue teamer do?</div><div><br /></div><div>We check server logs for interesting patterns and, when a single alarm is found to occur multiple times, it generates an event.</div><div><br /></div><div>In other words, a failed log in per se doesn't represent a relevant threat but, if we have 300 such events in -say- 90 minutes, we might be up with something we want to look at much more thoroughly.</div><div><br /></div><div>Before getting into alarms it's important to talk about <span style="font-weight: bold;">events</span>, <span style="font-weight: bold;">directives</span> and <span style="font-weight: bold;">correlation</span>.</div><div><br /></div><div>A single alarm per se isn't very important, but, when you start having an important number of alike alarms, you can be up with a certain event. Directives are rules defining what to do when a certain event is detected..</div><div><br /></div><div>A correlation engine analyzes a series of logs and, if they match with a certain rule within a specific time frame, it creates an alarm with a specific priority.</div><div><br /></div><div>Let's go to<span style="font-style: italic;"> Activity/Alarms</span> from the&nbsp;dashboard in AlienVault&nbsp;to see what's going on.</div><div><br /></div><div>You might notice all the alarms shown in this demo are fake and are related to virtualized systems (you see VMware, Hyper-V and AWS environments).</div><div><br /></div><div>You'll never normally see such macroscopic situations in a real-life example, but there's nonetheless some more interesting alarms we might want to investigate.</div><div><br /></div><div>Lots of alarms might be triggered by automated vulnerability scans or by scheduled tasks.</div><div><br /></div><div>One pretty realistic example we might want to look at is related to repeated login failures.</div><div><br /></div><div>I'm not normally very worried about it, but there are certain cases where you want to have a closer look at them.</div><div><br /></div><div>Let's now analyze a specific example from the demo.</div><div><br /></div><div>I analyze the details by clicking the alarm.</div><div><br /></div><div><br /></div><div><div><a href="http://3.bp.blogspot.com/-YmVQXHAOhyc/Wszj1cvfCBI/AAAAAAAAFZQ/0JjPzWCnxqIHEcp_8IgaIZAXzoPG1-EIQCK4BGAYYCw/s1600/3f0d08305dda58cf807cce43ae574db5-708037.png"><img alt="" border="0" height="418" id="BLOGGER_PHOTO_ID_6542854866050418706" src="https://3.bp.blogspot.com/-YmVQXHAOhyc/Wszj1cvfCBI/AAAAAAAAFZQ/0JjPzWCnxqIHEcp_8IgaIZAXzoPG1-EIQCK4BGAYYCw/s640/3f0d08305dda58cf807cce43ae574db5-708037.png" width="640" /></a></div></div><div><br /></div><div><a href="http://2.bp.blogspot.com/-oSfHxQAnb9A/Wszj2YPeKMI/AAAAAAAAFZc/RK6J2lxHD8ggmqOvrxu7CB0Eef9oEMolQCK4BGAYYCw/s1600/5bde84593c95681711da7939a6bab38c-711680.png"><img alt="" border="0" height="452" id="BLOGGER_PHOTO_ID_6542854882022271170" src="https://2.bp.blogspot.com/-oSfHxQAnb9A/Wszj2YPeKMI/AAAAAAAAFZc/RK6J2lxHD8ggmqOvrxu7CB0Eef9oEMolQCK4BGAYYCw/s640/5bde84593c95681711da7939a6bab38c-711680.png" width="640" /></a></div><div><br /></div><div></div><div>You notice this alarm was generated by a series of logs related to the same source.</div><div><br /></div><div>The first thing we want to do is to analyze source and destination IP address.</div><div><br /></div><div>I wrote a bash script to do that, called <a href="https://github.com/matticamp/ipchecker.github.io">ipchecker.bash</a>. but you can also use OTX (Open Threat Exchange), which is an intelligence database developed by AlienVault, if you have a subscription for it.</div><div><br /></div><div>By clicking <span style="font-style: italic;">Look up in OTX,</span> it doesn't tell us a lot.</div><div><br /></div><div><div><br /></div></div><div>Therefore, I run my script.</div><div><br /></div><div>In its latest version, I added Virus Total to the sites I normally use to check IPs, as it's a reference I use pretty much every day.</div><div><br /></div><div>The source IP address results to be located in Botswana.</div><div><br /></div><div><a href="http://4.bp.blogspot.com/-7DU95UUM4tg/Wszj3GTRYnI/AAAAAAAAFZk/8nJJwtXnPIwQtmDFk8WxtETOk4FJvYL7ACK4BGAYYCw/s1600/cd31433c86ef8fb8b203f292edaa9ab0-714998.png"><img alt="" border="0" height="640" id="BLOGGER_PHOTO_ID_6542854894386242162" src="https://4.bp.blogspot.com/-7DU95UUM4tg/Wszj3GTRYnI/AAAAAAAAFZk/8nJJwtXnPIwQtmDFk8WxtETOk4FJvYL7ACK4BGAYYCw/s640/cd31433c86ef8fb8b203f292edaa9ab0-714998.png" width="624" /></a></div><div><div><br /></div></div><div>Talos tells us its reputation is poor, but that doesn't necessarily mean an attack is going on.</div><div><br /></div><div><br /></div><div>As for the destination IP looks like it's the legit office365 portal, even though Virus Total detects some typosquatters.</div><div><br /></div><div><a href="http://3.bp.blogspot.com/-4sz9gHgu7SA/Wszj3-J9EII/AAAAAAAAFZs/h0b3m6sGh1ofeQfaPfX30x9Pt8cWvz8VQCK4BGAYYCw/s1600/b6059d22f46ff8c74d7d674b69458e85-718365.png"><img alt="" border="0" height="640" id="BLOGGER_PHOTO_ID_6542854909379547266" src="https://3.bp.blogspot.com/-4sz9gHgu7SA/Wszj3-J9EII/AAAAAAAAFZs/h0b3m6sGh1ofeQfaPfX30x9Pt8cWvz8VQCK4BGAYYCw/s640/b6059d22f46ff8c74d7d674b69458e85-718365.png" width="592" /></a></div><div><br /></div><div><div><br /></div></div><div>At the end of the day, we can safely assume it's a false positive.</div><div><br /></div><div>Someone got locked out of his/her Office 365 account.</div><div><br /></div><div>We might additionally contact the client to let them know about the issue and add their insights to our analysis, but I'm not hugely concerned about this type of events.</div><div><br /></div><div>I start being very concerned when, analyzing logs, I find that the Administrator account, or the SID S-15-18, which is a service account used by the system, are involved.</div><div><br /></div><div>Another thing raising a red flag to me is when I find a code such as <span style="font-weight: bold;">0xC0000072</span>&nbsp;in the description (<i>User logon to account disabled by administrator</i>).</div><div><br /></div><div>In fact, this isn't very frequent and might mean someone got hold of an old account and tried to use it in order to login (a former disgruntled employee, maybe?).</div><div><br /></div><div>The codes you find in raw logs are cryptic and not very human-friendly.</div><div><br /></div><div>They display a bunch of hex codes, but they do have a very specific meaning.</div><div><br /></div><div>I use several references to interpret them and one of my favorite is <a href="https://community.rsa.com/community/products/netwitness/blog/2017/06/03/analysts-reference-windows-4625">this</a>.</div><div><br /></div><div>Of course, I analyzed a very macroscopic and clear to define alarm, but real-life scenarios can be much blurrier and that's why being an analyst is hard.</div><div><br /></div><div>You can easily overlook details in the massive amount of information you have to sift through every day, if you don't have an eye for details.</div><div><br /></div><div>When this happens, a breach is round the corner.</div><div><br /></div><div>Another problem with blue team work is the&nbsp;"<i>chicken little-ish</i>" effect (quoting John Svazic).</div><div><br /></div><div>What I mean is sometimes you may be afraid to wreak havoc and upset the client, for fear of getting in trouble.</div><div><br /></div><div>Essentially, you hold off on creating an alarm even when there might be some potential red flags, until you gain additional information, but sometimes this can be too little too late.</div><div><br /></div><div>That's a real problem.</div><div><br /></div><div>I'd rather talk to the client, asking them for insights they might have, rather than scaring them off altogether.</div><div><br /></div><div>Sometimes you might find that a bunch of alarms were generated because a specific server was down, for example.<br /><br />This is something that, if your company provides managed services to the client, the client only might know, as it's their network in the end.</div><div><br /></div><div>The biggest problem for blue teamers is to tell real alarms from noise.</div><div><br /></div><div>For example, when I started my current job, monitoring AlienVault, one day I started noticing a bunch of juicy alarms for a customer: XSS, SQL injections, brute force attacks, <i>action finally!</i></div><div><br /></div><div>I was all excited thinking: "<i>This is the time</i>".</div><div><br /></div><div>Then my boss told me it was the result of an automated vulnerability scanning.</div><div><br /></div><div>So now I know: it's not a real thing.</div><div><br /></div><div>The problem is: you can't trust 100%.</div><div><br /></div><div>Maybe one day there'll be something real behind that noise and that's when you're screwed.</div><div><br /></div><div>What does a shooter do to try escaping?</div><div><br /></div><div>He/she mixes to the crowd of people running away.</div><div><br /></div><div>You don't notice a shooter, if he/she's amidst a crowd.</div><div><br /></div><div>That's what a real threat might do.</div></div><div class="blogger-post-footer"><hr />
<a href="http://savvygeektips.blogspot.com>One Tip A Day Tech Blog</a></div><div class="feedflare">
<a href="http://feeds.feedburner.com/~ff/blogspot/HLRhI?a=qQM_OMGyLJM:jfMdLIhKmew:yIl2AUoC8zA"><img src="http://feeds.feedburner.com/~ff/blogspot/HLRhI?d=yIl2AUoC8zA" border="0"></img></a> <a href="http://feeds.feedburner.com/~ff/blogspot/HLRhI?a=qQM_OMGyLJM:jfMdLIhKmew:63t7Ie-LG7Y"><img src="http://feeds.feedburner.com/~ff/blogspot/HLRhI?d=63t7Ie-LG7Y" border="0"></img></a> <a href="http://feeds.feedburner.com/~ff/blogspot/HLRhI?a=qQM_OMGyLJM:jfMdLIhKmew:dnMXMwOfBR0"><img src="http://feeds.feedburner.com/~ff/blogspot/HLRhI?d=dnMXMwOfBR0" border="0"></img></a> <a href="http://feeds.feedburner.com/~ff/blogspot/HLRhI?a=qQM_OMGyLJM:jfMdLIhKmew:F7zBnMyn0Lo"><img src="http://feeds.feedburner.com/~ff/blogspot/HLRhI?i=qQM_OMGyLJM:jfMdLIhKmew:F7zBnMyn0Lo" border="0"></img></a> <a href="http://feeds.feedburner.com/~ff/blogspot/HLRhI?a=qQM_OMGyLJM:jfMdLIhKmew:7Q72WNTAKBA"><img src="http://feeds.feedburner.com/~ff/blogspot/HLRhI?d=7Q72WNTAKBA" border="0"></img></a> <a href="http://feeds.feedburner.com/~ff/blogspot/HLRhI?a=qQM_OMGyLJM:jfMdLIhKmew:V_sGLiPBpWU"><img src="http://feeds.feedburner.com/~ff/blogspot/HLRhI?i=qQM_OMGyLJM:jfMdLIhKmew:V_sGLiPBpWU" border="0"></img></a> <a href="http://feeds.feedburner.com/~ff/blogspot/HLRhI?a=qQM_OMGyLJM:jfMdLIhKmew:qj6IDK7rITs"><img src="http://feeds.feedburner.com/~ff/blogspot/HLRhI?d=qj6IDK7rITs" border="0"></img></a> <a href="http://feeds.feedburner.com/~ff/blogspot/HLRhI?a=qQM_OMGyLJM:jfMdLIhKmew:gIN9vFwOqvQ"><img src="http://feeds.feedburner.com/~ff/blogspot/HLRhI?i=qQM_OMGyLJM:jfMdLIhKmew:gIN9vFwOqvQ" border="0"></img></a> <a href="http://feeds.feedburner.com/~ff/blogspot/HLRhI?a=qQM_OMGyLJM:jfMdLIhKmew:TzevzKxY174"><img src="http://feeds.feedburner.com/~ff/blogspot/HLRhI?d=TzevzKxY174" border="0"></img></a>
</div><img src="http://feeds.feedburner.com/~r/blogspot/HLRhI/~4/qQM_OMGyLJM" height="1" width="1" alt=""/>http://feedproxy.google.com/~r/blogspot/HLRhI/~3/qQM_OMGyLJM/tips-for-information-security.htmlnoreply@blogger.com (Mattia Campagnano)0http://savvygeektips.blogspot.com/2018/04/tips-for-information-security.htmltag:blogger.com,1999:blog-2419284614709488194.post-7519471172886544202Wed, 28 Feb 2018 02:40:00 +00002018-02-27T21:59:11.368-05:00cybersecurityhackingpentestingTips for an Information Security Analyst/Pentester career - Ep. 58: Blue vs red: does it still make sense?<div class="ennote"><div>I recently participated in a very exciting <a href="https://www.youtube.com/watch?v=XyUKN0HRp0E">PeerTalk on Pentesting</a> and had a long and stimulating conversation with all members, featuring, among others, Georgia Weidman.</div><div><br /></div><div><div>I couldn't believe she really took the time to participate and she found some of my points valid.</div></div><div><br /></div><div>I had to pinch myself, I mean WOW!</div><div><br /></div><div>However, this post isn't for me to brag about this achievement, but to wrap up some concepts emerging from the panel that I found absolutely paramount.</div><div><br /></div><div>The most important of which is, in my opinion, that we need to move over the strict red team/blue team distinction and to rethink and redesign the role of pentesters in general, along with the purpose of penetration testing overall.</div><div><br /></div><div>In fact, there seems to be an over-emphasis on offensive security and on red teamers for the heck of it, without thinking of what a pentest can actually add in terms of value for a business nor of what lessons an organization can learn from it.</div><div><br /></div><div>Though a shift seems to have started developing, as the best and brightest hackers, such as my former boss Dave Kennedy and John Strand, are re-evaluating defensive security and developing solutions to help defenders and assist companies to defend better, a lot of work seems to be needed in order to improve things under this point of view.</div><div><br /></div><div><a href="http://4.bp.blogspot.com/-tMmWOErZKjM/WpYUA_5cDBI/AAAAAAAAFYE/rTUhgKMYE1kwuH2xBWbBGDKCrcmtBqPRACK4BGAYYCw/s1600/6c0b316dda2709aecf7b1c0eed1c284d-759695.jpeg"><img alt="" border="0" height="360" id="BLOGGER_PHOTO_ID_6527426717305015314" src="https://4.bp.blogspot.com/-tMmWOErZKjM/WpYUA_5cDBI/AAAAAAAAFYE/rTUhgKMYE1kwuH2xBWbBGDKCrcmtBqPRACK4BGAYYCw/s640/6c0b316dda2709aecf7b1c0eed1c284d-759695.jpeg" width="640" /></a></div><div><br /></div><div><b>Don't get me wrong, offensive security is fun, I LOVE offensive security and I'd like for me to be a red teamer, too, but blue teamers (including myself) are the often unsung heroes here.</b></div><div><br /></div><div><b>Blue teamers need to be right all the time. Red teamers (and black hat hackers) only need to be right once and they're in.</b></div><div><br /></div><div>If you pwn the heck out of an organization this is sure fun but it's pointless and needless if you don't give that organization the tools to address the vulnerabilities that allowed you to hack in.</div><div><br /></div><div>I get it, being a red teamer looks so cool, you're paid to hack and to break stuff and I'd love for me to do that, too.</div><div><br /></div><div>However, there are two types of overlooked considerations to keep in mind.</div><div><br /></div><div><ol><li><b>A pentest is done to support a business and its result must be explained in business terms.</b> We conduct a pentest to make sure a company knows what its vulnerabilities are and addresses them before bad guys can exploit them. If pentesters do nothing but submitting a report without explaining how to address these vulnerabilities, they give the company no actual service. A pentester should be like a consultant and sit beside the corporate management to understand how the organization's processes work and how to improve on the issues discovered. I recently participated in a security assessment for a company in my new role and it's been an eye-opening experience. Jeez, there are billion aspects to be factored in, so many that your mind starts blowing, and so much overlooked stuff that you ask yourself how these persons manage to even stay in business. Then you realize their priorities aren't yours. Their priorities are running the business and make money, not fighting bad guys like you do. They don't understand all these gizmos and why should they? That's not their role. We're not (always) the center of the universe, guys. You need to talk to these guys making it clear they might lose their proprietary information, which could mean for them that they'd have to close business.<b> It's business survival.</b></li><li><b>A pentest should be conducted in order to empower the blue team, not to brag about how good we are at popping up shells</b>. Sure, popping up shells is fun but pretty much pointless if we assess a company and then we find the same exact vulnerabilities one year later. This means that we as security professionals and the industry overall failed. We sucked. My greatest pleasure as a security professional would be if I made a follow-up pentest on an organization and I found out I couldn't easily hack in by using the most common techniques, such as SQL injection.</li></ol><div>That would mean they actually implemented my&nbsp;recommendations and they made their systems more secure. That would mean I contributed to make the&nbsp;world&nbsp;a little bit more secure place. That doesn't&nbsp;exclude totally they might get hacked in the future, but it definitely&nbsp;makes them more &nbsp; &nbsp;&nbsp;</div></div><div>secure. It could also potentially save their company and have a positive impact on&nbsp;people's lives, in terms of avoiding job losses.</div><div><br /></div><div><i>Wrap-up</i></div><div><i><br /></i></div><div>We're not making all this progress as an industry, and that's because we're failing.</div><div><br /></div><div><a href="http://4.bp.blogspot.com/-2oLZbETOwxU/WpYUB2Mkl5I/AAAAAAAAFYM/J00Dgc4vHCkIhBsAhEz7TpE3rN5GC9rywCK4BGAYYCw/s1600/b9a9e359c237e370f5487a2a4cca453c-764863.png"><img alt="" border="0" height="480" id="BLOGGER_PHOTO_ID_6527426731880781714" src="https://4.bp.blogspot.com/-2oLZbETOwxU/WpYUB2Mkl5I/AAAAAAAAFYM/J00Dgc4vHCkIhBsAhEz7TpE3rN5GC9rywCK4BGAYYCw/s640/b9a9e359c237e370f5487a2a4cca453c-764863.png" width="640" /></a></div><div><b><br /></b></div><div><b>Have you ever wondered why overlooked vulnerabilities like SQL injection or XSS, dating back decades, are still within OWASP Top 10 vulnerabilities list?</b></div><div><br /></div><div>No one addresses this type of problems or bothers advising organizations on how to address these issues.</div><div><br /></div><div>Bug bounties now normally even exclude them from their scope.</div><div><br /></div><div>They're too common, not so sexy for marketing purposes. Well, guess what, that's how companies like Equifax got breached, though.</div><div><br /></div><div>Several pentesters deliver their darn report (not always well done) and that's it.</div><div><br /></div><div>This needs to change.</div><div><b><br /></b></div><div><b>We need to move away from this blue team/red team adversarial perspective.</b></div><div><br /></div><div>We need to create a non-hostile environment, where the two different teams can work together and address what can be done, instead of focusing on childish memes and bullying behaviors.</div><div><br /></div><div>OK, we hacked in, we showed their admins suck, right.</div><div><br /></div><div>But how much would you like for you to be in those sysadmins' shoes, having to analyze pile loads of logs to find a needle in the haystack?</div><div><br /></div><div>Not so fast, bro!</div><div><br /></div><div>Then, by the way, that kind of behavior speaks volumes about your professionalism.</div><div><br /></div><div>Not sure you'd be the kind of guy I'd personally like to work with.</div><div><br /></div><div>We're security professionals, we all work together to make this world more secure, even though from different angles.</div><div><br /></div><div>Let's come together instead of hurting the whole community with this kind of bullcrap.</div><div><br /></div><div>Like I stated, the brightest guys in the offensive security community have understood this and are trying to promote an effort towards a more global view.</div><div><br /></div><div>However, much remains to be done and organizations selling snake oil, like those indiscriminately promoting bug bounties as a silver bullet, hurt the community even more than this wrong attitude.</div><div><br /></div><div><b>Security is a mindset, not a product.</b></div><div><b><br /></b></div><div><b>It's easier for marketers to sell a product because a product is something you can touch, easier to understand than a mindset shift that causes corporate culture to change.</b></div><div><b><br /></b></div><div><b>Buying/selling a product can be a fast process, but changing a corporate culture may require a long time.</b></div><div><b><br /></b></div><div>Scary, right?</div><div><br /></div><div>All big changes are, but we need to do this or we'll see more and more organizations compromised, economies and lives ruined and eventually, if we consider the possible implications of a hack on the electoral system, the very concept of democracy&nbsp;worldwide undermined.<br /><br /><a href="https://savvygeektips.blogspot.com/2018/02/tips-for-information-security_20.html" target="_blank"><b>Episode 57 </b></a></div></div><div class="blogger-post-footer"><hr />
<a href="http://savvygeektips.blogspot.com>One Tip A Day Tech Blog</a></div><div class="feedflare">
<a href="http://feeds.feedburner.com/~ff/blogspot/HLRhI?a=29p9v0N67E8:ycbH_n0bYgA:yIl2AUoC8zA"><img src="http://feeds.feedburner.com/~ff/blogspot/HLRhI?d=yIl2AUoC8zA" border="0"></img></a> <a href="http://feeds.feedburner.com/~ff/blogspot/HLRhI?a=29p9v0N67E8:ycbH_n0bYgA:63t7Ie-LG7Y"><img src="http://feeds.feedburner.com/~ff/blogspot/HLRhI?d=63t7Ie-LG7Y" border="0"></img></a> <a href="http://feeds.feedburner.com/~ff/blogspot/HLRhI?a=29p9v0N67E8:ycbH_n0bYgA:dnMXMwOfBR0"><img src="http://feeds.feedburner.com/~ff/blogspot/HLRhI?d=dnMXMwOfBR0" border="0"></img></a> <a href="http://feeds.feedburner.com/~ff/blogspot/HLRhI?a=29p9v0N67E8:ycbH_n0bYgA:F7zBnMyn0Lo"><img src="http://feeds.feedburner.com/~ff/blogspot/HLRhI?i=29p9v0N67E8:ycbH_n0bYgA:F7zBnMyn0Lo" border="0"></img></a> <a href="http://feeds.feedburner.com/~ff/blogspot/HLRhI?a=29p9v0N67E8:ycbH_n0bYgA:7Q72WNTAKBA"><img src="http://feeds.feedburner.com/~ff/blogspot/HLRhI?d=7Q72WNTAKBA" border="0"></img></a> <a href="http://feeds.feedburner.com/~ff/blogspot/HLRhI?a=29p9v0N67E8:ycbH_n0bYgA:V_sGLiPBpWU"><img src="http://feeds.feedburner.com/~ff/blogspot/HLRhI?i=29p9v0N67E8:ycbH_n0bYgA:V_sGLiPBpWU" border="0"></img></a> <a href="http://feeds.feedburner.com/~ff/blogspot/HLRhI?a=29p9v0N67E8:ycbH_n0bYgA:qj6IDK7rITs"><img src="http://feeds.feedburner.com/~ff/blogspot/HLRhI?d=qj6IDK7rITs" border="0"></img></a> <a href="http://feeds.feedburner.com/~ff/blogspot/HLRhI?a=29p9v0N67E8:ycbH_n0bYgA:gIN9vFwOqvQ"><img src="http://feeds.feedburner.com/~ff/blogspot/HLRhI?i=29p9v0N67E8:ycbH_n0bYgA:gIN9vFwOqvQ" border="0"></img></a> <a href="http://feeds.feedburner.com/~ff/blogspot/HLRhI?a=29p9v0N67E8:ycbH_n0bYgA:TzevzKxY174"><img src="http://feeds.feedburner.com/~ff/blogspot/HLRhI?d=TzevzKxY174" border="0"></img></a>
</div><img src="http://feeds.feedburner.com/~r/blogspot/HLRhI/~4/29p9v0N67E8" height="1" width="1" alt=""/>http://feedproxy.google.com/~r/blogspot/HLRhI/~3/29p9v0N67E8/tips-for-information-security_27.htmlnoreply@blogger.com (Mattia Campagnano)0http://savvygeektips.blogspot.com/2018/02/tips-for-information-security_27.htmltag:blogger.com,1999:blog-2419284614709488194.post-1682605074375791464Tue, 20 Feb 2018 19:31:00 +00002018-02-20T15:50:10.124-05:00cybersecurityforensicshackingpentestingTips for an Information Security Analyst/Pentester career - Ep. 57: Forensic challenge (pt. 1)<div class="ennote"><div>I was watching this John Strand's&nbsp;<a href="https://www.youtube.com/watch?v=fEip9gl2MTA&amp;t=1718s">video</a> on live memory analysis some days ago.</div><div><br /></div><div>I love his tutorials because they're really inspirational but, in this case, John came out with a series of labs intended for his forensic students at SANS.</div><div><br /></div><div>I thought to myself, "Yes, I got this, I can do it". You know, I graduated in Cyber Security &amp; Forensics, so I thought I should've been able to follow through.</div><div><br /></div><div>Here's my tutorial about it.<br /><br /><iframe allow="autoplay; encrypted-media" allowfullscreen="" frameborder="0" height="315" src="https://www.youtube.com/embed/ozEvj2HF5iw" width="560"></iframe></div><div><br /></div><div>In this first part I'll analyze a clean Window configuration, for us to have a baseline, and in the second part I'll perform the same steps against a system compromised with a Meterpreter shell.</div><div><br /></div><div><br /></div><div><span style="font-style: italic; font-weight: bold;">Simulation</span></div><div><br /></div><div>I create a backdoor by running <span style="color: yellow;"><span style="font-weight: bold;">netcat</span> </span>on TCP port 2222 (in the upcoming second part of this tutorial, I'll create an actual Meterpreter backdoor).</div><div><br /></div><div>If we run <span style="font-style: italic;">netstat -nao</span> and we include&nbsp;an interval parameter of <i>5</i> in the command, we can see a list of active network connections that will be redisplayed every 5 seconds.</div><div><br /></div><div>You'll notice a connection to TCP port 2222 in LISTENING state, which means the port is open.</div><div><br /></div><div><a href="http://3.bp.blogspot.com/-pbjYHalZhA4/Wox2WYYfkSI/AAAAAAAAFWI/_uHIzflEb98JIs-d-iJu5V35vSxndN7sgCK4BGAYYCw/s1600/738d97081f6c86e3e541d0860e85c56c-774219.png"><img alt="" border="0" height="194" id="BLOGGER_PHOTO_ID_6524720087027388706" src="https://3.bp.blogspot.com/-pbjYHalZhA4/Wox2WYYfkSI/AAAAAAAAFWI/_uHIzflEb98JIs-d-iJu5V35vSxndN7sgCK4BGAYYCw/s640/738d97081f6c86e3e541d0860e85c56c-774219.png" width="640" /></a></div><div><br /></div><div><b><i>Intelligence on running processes</i></b></div><div><i><br /></i></div><div>To have information on running processes, we can run three different commands, which return a different amount of intelligence about the system.</div><div><br /></div><div><i>a) Task Manager (taskmgr.exe): </i>That's a well-known command. Not everyone knows, though, Task Manager can display information on the processes from all users and not only from the user currently logged on.</div><div><br /></div><div><a href="http://1.bp.blogspot.com/-hsaqdNQyYl8/Wox2XBQe89I/AAAAAAAAFWQ/DNTQ-DFFToEJxc7Tfv8gf6iFCHIWZtMVwCK4BGAYYCw/s1600/9ad0073882270cb78a2380c2cdbbd2ce-778746.png"><img alt="" border="0" height="640" id="BLOGGER_PHOTO_ID_6524720097999647698" src="https://1.bp.blogspot.com/-hsaqdNQyYl8/Wox2XBQe89I/AAAAAAAAFWQ/DNTQ-DFFToEJxc7Tfv8gf6iFCHIWZtMVwCK4BGAYYCw/s640/9ad0073882270cb78a2380c2cdbbd2ce-778746.png" width="596" /></a></div><div><br /></div><div><br /></div><div><i>b) Tasklist (tasklist.exe):</i> It's Task Manager's command line version and it comes very handy if you want to create a file listing all running processes (you can simply redirect the command).</div><div><br /></div><div><a href="http://1.bp.blogspot.com/-8hf6Enx_K_k/Wox2YDH-WDI/AAAAAAAAFWY/rMvTQZ4J06YSuufWMq4hrgICdr8E7OxnwCK4BGAYYCw/s1600/6822be4fdb1077a12bc90eee87923706-782700.png"><img alt="" border="0" height="532" id="BLOGGER_PHOTO_ID_6524720115680696370" src="https://1.bp.blogspot.com/-8hf6Enx_K_k/Wox2YDH-WDI/AAAAAAAAFWY/rMvTQZ4J06YSuufWMq4hrgICdr8E7OxnwCK4BGAYYCw/s640/6822be4fdb1077a12bc90eee87923706-782700.png" width="640" /></a></div><div><br /></div><div><b>tasklist /svc</b> allows to map what services are running based on what processes.</div><div><br /></div><div><br /></div><div>c) <i>wmic process list full: </i>It returns a huge load of information on each individual running process.</div><div><br /></div><div><a href="http://1.bp.blogspot.com/-RCV_6MK9cBg/Wox2ZfPRwQI/AAAAAAAAFWg/XsaTvwVZ84YJoCFmQgCMxt9KYp3QsmI1wCK4BGAYYCw/s1600/898148b6f00106f8591ca61e676d5409-786695.png"><img alt="" border="0" height="264" id="BLOGGER_PHOTO_ID_6524720140407390466" src="https://1.bp.blogspot.com/-RCV_6MK9cBg/Wox2ZfPRwQI/AAAAAAAAFWg/XsaTvwVZ84YJoCFmQgCMxt9KYp3QsmI1wCK4BGAYYCw/s640/898148b6f00106f8591ca61e676d5409-786695.png" width="640" /></a></div><div>Also, don't overlook <i>services.msc</i> to have an overview about the status of each individual service installed and about their dependencies.</div><div><br /></div><div><b><i>Retrieve large files</i></b></div><div><br /></div><div>Both from command line and from Windows Explorer, we can search for files larger than a certain size.</div><div><br /></div><div>This can allow us to retrieve malicious file the attacker might have uploaded to or created in our analyzed system.</div><div><br /></div><div>In the below example, I researched all files greater than 10 MB.</div><div><br /></div><div><a href="http://4.bp.blogspot.com/-GOL72N2eMD8/Wox2aHSZacI/AAAAAAAAFWo/-O91LHzDmm8gZjFM0E0OPmp5dN0wA-J0wCK4BGAYYCw/s1600/002e74f13d5cb8e43af907ccbdff07f1-790391.png"><img alt="" border="0" height="208" id="BLOGGER_PHOTO_ID_6524720151157893570" src="https://4.bp.blogspot.com/-GOL72N2eMD8/Wox2aHSZacI/AAAAAAAAFWo/-O91LHzDmm8gZjFM0E0OPmp5dN0wA-J0wCK4BGAYYCw/s640/002e74f13d5cb8e43af907ccbdff07f1-790391.png" width="640" /></a></div><div><br /></div><div><i><b>Registry analysis</b></i></div><div><i><b><br /></b></i></div><div>Malware can try to get persistent on a system by creating auto starting registry keys, that Windows will automatically run at boot-up time.</div><div><br /></div><div>Analyzing these keys can sometimes reveal interesting surprises.</div><div><br /></div><div>In more detail, the following keys should always be checked out for malware analysis/troubleshooting purposes:</div><div><ol><li><span style="color: yellow;">HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Current Version\Run</span></li><span style="color: yellow;"></span><li><span style="color: yellow;">HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Current Version\RunOnce</span></li><span style="color: yellow;"></span><li><span style="color: yellow;">HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Current Version\RunServices</span></li><span style="color: yellow;"></span><li><span style="color: yellow;">HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Current Version\RunServicesOnce</span></li><span style="color: yellow;"></span><li><span style="color: yellow;">HKEY_CURRENT_USER\Software\Microsoft\Windows\Current Version\Run</span></li><span style="color: yellow;"></span><li><span style="color: yellow;">HKEY_CURRENT_USER\Software\Microsoft\Windows\Current Version\RunOnce</span></li><span style="color: yellow;"></span><li><span style="color: yellow;">HKEY_CURRENT_USER\Software\Microsoft\Windows\Current Version\RunServices</span></li><span style="color: yellow;"></span><li><span style="color: yellow;">HKEY_CURRENT_USER\Software\Microsoft\Windows\Current Version\RunServicesOnce</span></li></ol><div><br /></div></div><div>If any suspicious key is found in one of these locations, you can export it and delete it.</div><div><br /></div><div>If all such entries are removed, we eliminate one of the most important way malware can obtain persistence on a system.</div><div><br /></div><div><br /></div><div><i><b>Network shares and use</b></i></div><div><i><b><br /></b></i></div><div>We can see what sessions the local machine has opened with other systems.</div><div><br /></div><div>As I'm analyzing a VMware VM not part of a domain, we only obtain the VMware shared folder as an output.</div><div><br /></div><div><a href="http://1.bp.blogspot.com/-C8Oh-JTQUxk/Wox2bGiqA-I/AAAAAAAAFWw/auM_btFvF28fU00tqN2mey70KrmZfIkQgCK4BGAYYCw/s1600/729446d31296a9bc918aebe21a97f4cf-794201.png"><img alt="" border="0" height="266" id="BLOGGER_PHOTO_ID_6524720168137524194" src="https://1.bp.blogspot.com/-C8Oh-JTQUxk/Wox2bGiqA-I/AAAAAAAAFWw/auM_btFvF28fU00tqN2mey70KrmZfIkQgCK4BGAYYCw/s640/729446d31296a9bc918aebe21a97f4cf-794201.png" width="640" /></a></div><div><br /></div><div><i><b>Firewall rules</b></i></div><div><br /></div><div>We can view the current Windows firewall settings through the&nbsp;<b>netsh <span style="color: yellow;">advfirewall show current profile</span></b><span style="color: yellow;">&nbsp;</span>command.</div><div><a href="http://4.bp.blogspot.com/-B9PKGcvQBRo/Wox2cA9dQdI/AAAAAAAAFW4/IPfonz8FJu4AnJlsCF6SjyDTHtcHdFGEACK4BGAYYCw/s1600/e7c4ef1f5145960e7c6af9928aad1518-797993.png"><img alt="" border="0" height="70" id="BLOGGER_PHOTO_ID_6524720183819190738" src="https://4.bp.blogspot.com/-B9PKGcvQBRo/Wox2cA9dQdI/AAAAAAAAFW4/IPfonz8FJu4AnJlsCF6SjyDTHtcHdFGEACK4BGAYYCw/s640/e7c4ef1f5145960e7c6af9928aad1518-797993.png" width="640" /></a></div><div><br /></div><div><a href="http://2.bp.blogspot.com/-JLLjNXI-TMo/Wox2c6i0FyI/AAAAAAAAFXA/WXHL3lFNN2IkebUJ_x6bKTtZJ4iJBiENQCK4BGAYYCw/s1600/4025412d6986e8a6fa4795d5bb63a433-701178.png"><img alt="" border="0" height="226" id="BLOGGER_PHOTO_ID_6524720199276697378" src="https://2.bp.blogspot.com/-JLLjNXI-TMo/Wox2c6i0FyI/AAAAAAAAFXA/WXHL3lFNN2IkebUJ_x6bKTtZJ4iJBiENQCK4BGAYYCw/s640/4025412d6986e8a6fa4795d5bb63a433-701178.png" width="640" /></a></div><div><br /></div><div><b><i>Analyzing local users and groups</i></b></div><div><b><i><br /></i></b></div><div>We can load the <i>Local Users and Groups Manager </i>through the <b><span style="color: yellow;">lusmgr.msc</span> </b>command.</div><div><b><i><br /></i></b></div><div>We notice there's an <i>Administrators</i> group and two users belong to it.</div><div><br /></div><div>Here nothing malicious pop up, but, in other cases, we might find that an unknown user account is listed within this group, but no sysadmins remembers to have created such a user. &nbsp;Guess what this might mean.</div><div><br /></div><div><a href="http://1.bp.blogspot.com/-urnzQ9nKI5w/Wox2dy-LMXI/AAAAAAAAFXI/XVAIAdraeXIrutd9_072xHqrR4I_z5nNwCK4BGAYYCw/s1600/964065515d0efd959138a0eb81b80524-704475.png"><img alt="" border="0" height="536" id="BLOGGER_PHOTO_ID_6524720214423843186" src="https://1.bp.blogspot.com/-urnzQ9nKI5w/Wox2dy-LMXI/AAAAAAAAFXI/XVAIAdraeXIrutd9_072xHqrR4I_z5nNwCK4BGAYYCw/s640/964065515d0efd959138a0eb81b80524-704475.png" width="640" /></a></div><div><br /></div><div><br /></div><div><span style="font-style: italic; font-weight: bold;">Auditing logons</span></div><div><span style="font-style: italic; font-weight: bold;"><br /></span></div><div>Security policies are another place to go analyzing a system.</div><div><br /></div><div>We want to start the tool (<i>secpol.msc)</i> and, in <i>Local Policies/Auditing Policies/Audit Logon Events</i>, enable logging for <i>failure </i>events, as shown below.</div><div><br /></div><div><a href="http://3.bp.blogspot.com/-TqAvzRBAtVA/Wox2eiZidrI/AAAAAAAAFXQ/3CmCGOshl-sAVYn9-eh20SYSpK71mwhMwCK4BGAYYCw/s1600/0015a27a8e9433a01e1a19ae8b42dace-708312.png"><img alt="" border="0" height="394" id="BLOGGER_PHOTO_ID_6524720227155080882" src="https://3.bp.blogspot.com/-TqAvzRBAtVA/Wox2eiZidrI/AAAAAAAAFXQ/3CmCGOshl-sAVYn9-eh20SYSpK71mwhMwCK4BGAYYCw/s640/0015a27a8e9433a01e1a19ae8b42dace-708312.png" width="640" /></a></div><div>This way, when a user fails to log in, we'll have an entry for it in the Security log.</div><div><br /></div><div>At that point, I purposefully tried to log in with the wrong password and a Security event log was correctly generated in the system.</div><div><br /></div><div><a href="http://1.bp.blogspot.com/-JDXhqzZ8b6s/Wox2frRsu1I/AAAAAAAAFXY/8a9ZPSgD5cg6FtT_jxNprJGMiRdLKC-IwCK4BGAYYCw/s1600/d91cc18b15477e96cdd56bf9e1b6c3f6-711929.png"><img alt="" border="0" height="440" id="BLOGGER_PHOTO_ID_6524720246717987666" src="https://1.bp.blogspot.com/-JDXhqzZ8b6s/Wox2frRsu1I/AAAAAAAAFXY/8a9ZPSgD5cg6FtT_jxNprJGMiRdLKC-IwCK4BGAYYCw/s640/d91cc18b15477e96cdd56bf9e1b6c3f6-711929.png" width="640" /></a></div><div><br /></div><div>We can also retrieve specific event IDs by using a Powershell script (more details in the video).</div><div><br /></div><div><br /></div><div><i>Wrap-up</i></div><div><br /></div><div>The whole point is of this challenge is to stress how important is to be able to use native system tools for live memory analysis.</div><div><br /></div><div>Yes there are proprietary tools and they're often very good, but (like John points out), what if they don't work in your specific configuration or if some of them are discontinued?</div><div><br /></div><div>System tools are always there and work with any Windows configuration.</div><div><br /></div><div>Though they don't cost thousands of dollars, these tools are able to deliver outstanding results, if correctly used.<br /><br /><a href="https://savvygeektips.blogspot.com/2018/02/tips-for-information-security.html" target="_blank"><b>Episode 56 </b></a></div></div><div class="blogger-post-footer"><hr />
<a href="http://savvygeektips.blogspot.com>One Tip A Day Tech Blog</a></div><div class="feedflare">
<a href="http://feeds.feedburner.com/~ff/blogspot/HLRhI?a=Y5LlXTGQT1Q:Bf6lty5rKyo:yIl2AUoC8zA"><img src="http://feeds.feedburner.com/~ff/blogspot/HLRhI?d=yIl2AUoC8zA" border="0"></img></a> <a href="http://feeds.feedburner.com/~ff/blogspot/HLRhI?a=Y5LlXTGQT1Q:Bf6lty5rKyo:63t7Ie-LG7Y"><img src="http://feeds.feedburner.com/~ff/blogspot/HLRhI?d=63t7Ie-LG7Y" border="0"></img></a> <a href="http://feeds.feedburner.com/~ff/blogspot/HLRhI?a=Y5LlXTGQT1Q:Bf6lty5rKyo:dnMXMwOfBR0"><img src="http://feeds.feedburner.com/~ff/blogspot/HLRhI?d=dnMXMwOfBR0" border="0"></img></a> <a href="http://feeds.feedburner.com/~ff/blogspot/HLRhI?a=Y5LlXTGQT1Q:Bf6lty5rKyo:F7zBnMyn0Lo"><img src="http://feeds.feedburner.com/~ff/blogspot/HLRhI?i=Y5LlXTGQT1Q:Bf6lty5rKyo:F7zBnMyn0Lo" border="0"></img></a> <a href="http://feeds.feedburner.com/~ff/blogspot/HLRhI?a=Y5LlXTGQT1Q:Bf6lty5rKyo:7Q72WNTAKBA"><img src="http://feeds.feedburner.com/~ff/blogspot/HLRhI?d=7Q72WNTAKBA" border="0"></img></a> <a href="http://feeds.feedburner.com/~ff/blogspot/HLRhI?a=Y5LlXTGQT1Q:Bf6lty5rKyo:V_sGLiPBpWU"><img src="http://feeds.feedburner.com/~ff/blogspot/HLRhI?i=Y5LlXTGQT1Q:Bf6lty5rKyo:V_sGLiPBpWU" border="0"></img></a> <a href="http://feeds.feedburner.com/~ff/blogspot/HLRhI?a=Y5LlXTGQT1Q:Bf6lty5rKyo:qj6IDK7rITs"><img src="http://feeds.feedburner.com/~ff/blogspot/HLRhI?d=qj6IDK7rITs" border="0"></img></a> <a href="http://feeds.feedburner.com/~ff/blogspot/HLRhI?a=Y5LlXTGQT1Q:Bf6lty5rKyo:gIN9vFwOqvQ"><img src="http://feeds.feedburner.com/~ff/blogspot/HLRhI?i=Y5LlXTGQT1Q:Bf6lty5rKyo:gIN9vFwOqvQ" border="0"></img></a> <a href="http://feeds.feedburner.com/~ff/blogspot/HLRhI?a=Y5LlXTGQT1Q:Bf6lty5rKyo:TzevzKxY174"><img src="http://feeds.feedburner.com/~ff/blogspot/HLRhI?d=TzevzKxY174" border="0"></img></a>
</div><img src="http://feeds.feedburner.com/~r/blogspot/HLRhI/~4/Y5LlXTGQT1Q" height="1" width="1" alt=""/>http://feedproxy.google.com/~r/blogspot/HLRhI/~3/Y5LlXTGQT1Q/tips-for-information-security_20.htmlnoreply@blogger.com (Mattia Campagnano)0http://savvygeektips.blogspot.com/2018/02/tips-for-information-security_20.htmltag:blogger.com,1999:blog-2419284614709488194.post-2985360400990327140Mon, 12 Feb 2018 02:24:00 +00002018-02-13T10:27:30.409-05:00cybersecurityhackingpentestingtips&tricksTips for an Information Security Analyst/Pentester career - Ep. 56: Autosploit<div class="ennote"><div>There are several <a href="https://www.peerlyst.com/posts/autosploit-discussion-irresponsible-release-or-not-block-shodan-scans-on-your-corp-network-s-delano?trk=search_page_search_result">online discussions and controversies</a> about a new tool called <span style="font-style: italic;">Autosploit</span>, which promises to widely automate exploitation of vulnerable devices based on the shodan API and Metasploit framework.</div><div><br /></div><div>Some have voiced concerns over a possible delinquent use of this tool, talking about irresponsibility with reference to its author.</div><iframe allow="autoplay; encrypted-media" allowfullscreen="" frameborder="0" height="315" src="https://www.youtube.com/embed/A7qqm3OBL00" width="560"></iframe> <div><br /></div><div><span style="font-style: italic;">Prep stage</span></div><div><br /></div><div>I deeply dislike political debates and so I decided to form my opinion by testing the tool, available<a href="https://github.com/NullArray/AutoSploit"> here</a>,&nbsp;myself.</div><div><br /></div><div>It is essentially a Python script, which requires two Python tools, called <span style="font-style: italic;">shodan</span> and <span style="font-style: italic;">blessings</span>.</div><div><br /></div><div>Autosploit also requires for you to have a <span style="font-weight: bold;">Shodan API key</span>. &nbsp;</div><div><br /></div><div>You can get one by signing up for Shodan.</div><div><br /></div><div><a href="http://1.bp.blogspot.com/-TNqiNoRmhI4/WoD5HjSA2FI/AAAAAAAAFVU/PoAIIBtNoKUpeelOcFMyLzLjDfEkNRRkgCK4BGAYYCw/s1600/ad1ef6f6281bb51f8b73e4a93cfb078f-720082.png"><img alt="" border="0" height="344" id="BLOGGER_PHOTO_ID_6521486168557672530" src="https://1.bp.blogspot.com/-TNqiNoRmhI4/WoD5HjSA2FI/AAAAAAAAFVU/PoAIIBtNoKUpeelOcFMyLzLjDfEkNRRkgCK4BGAYYCw/s640/ad1ef6f6281bb51f8b73e4a93cfb078f-720082.png" width="640" /></a></div><div><br /></div><div><span style="font-style: italic;">How it works</span></div><div><br /></div><div>Autosploit will check for Postgresql and Apache services to get started and will then display a menu with four choices.</div><div><br /></div><div><a href="http://3.bp.blogspot.com/-SHodWgifKpA/WoD5II4sWBI/AAAAAAAAFVc/AMr4Efms4401kaw-rcegelkzodPAyzshQCK4BGAYYCw/s1600/e367afdd6ba8fa30902861cc68b363e1-723236.png"><img alt="" border="0" height="384" id="BLOGGER_PHOTO_ID_6521486178652018706" src="https://3.bp.blogspot.com/-SHodWgifKpA/WoD5II4sWBI/AAAAAAAAFVc/AMr4Efms4401kaw-rcegelkzodPAyzshQCK4BGAYYCw/s640/e367afdd6ba8fa30902861cc68b363e1-723236.png" width="640" /></a></div><div><br /></div><div>I first started gathering hosts by using the <span style="font-style: italic;">Windows</span> keyword.&nbsp;</div><div><br /></div><div>Before moving to the exploitation stage, I redirected all traffic through Tor.</div><div><br /></div><div>When we choose option 4 (<span style="font-style: italic;">Exploit</span>), Autosploit will automatically return all relevant Windows exploits.</div><div><br /></div><div>There seems to be no way to select an individual exploit at this point. However, any evaluation about this tool can't overlook it's still in a very early development stage.</div><div><br /></div><div>The way it is structured so far, it looks like all available exploits are run one after another, which can be good in terms of automation but not always desirable for an effective pentest.</div><div><a href="http://1.bp.blogspot.com/-LywYO7RpVfs/WoD5I0_vFYI/AAAAAAAAFVk/Ms7vBTQ04SgJWsPpLkYSHjJ736d-n_ScwCK4BGAYYCw/s1600/b8bee581eb43ea56ec78b9defe1a1609-725914.png"><img alt="" border="0" height="420" id="BLOGGER_PHOTO_ID_6521486190492718466" src="https://1.bp.blogspot.com/-LywYO7RpVfs/WoD5I0_vFYI/AAAAAAAAFVk/Ms7vBTQ04SgJWsPpLkYSHjJ736d-n_ScwCK4BGAYYCw/s640/b8bee581eb43ea56ec78b9defe1a1609-725914.png" width="640" /></a></div><div><br /></div><div>In the wrong hands, it could surely cause a lot of mayhem and noise.</div><div><br /></div><div><a href="http://4.bp.blogspot.com/-KBz2-bb3wwM/WoD5JU88G6I/AAAAAAAAFVs/79cu4nNFmIkE-CloDBsvYkTntDFu42LwQCK4BGAYYCw/s1600/a3275d7522d9fa50f070dd8c19a1eff7-728202.png"><img alt="" border="0" height="412" id="BLOGGER_PHOTO_ID_6521486199070923682" src="https://4.bp.blogspot.com/-KBz2-bb3wwM/WoD5JU88G6I/AAAAAAAAFVs/79cu4nNFmIkE-CloDBsvYkTntDFu42LwQCK4BGAYYCw/s640/a3275d7522d9fa50f070dd8c19a1eff7-728202.png" width="640" /></a></div><div><br /></div><div><span style="font-style: italic;">Wrap-up</span></div><div><br /></div><div>Automation allowed some of the greatest achievements of mankind to be possible.</div><div><br /></div><div>However, in information security, automation isn't always possible or desirable.</div><div><br /></div><div>Sure, such a tool in the wrong hands could wreak havoc, but any tools can be used for good or bad and the author isn't necessarily to blame for this.</div><div><br /></div><div>I'm not personally convinced that, the way this tool is structured so far, it might help with an efficient penetration test.</div><div><br /></div><div>No two systems are created equal and, without a proper reconnaissance stage, tools like Autosploit can be a total waste of time.</div><div><br /></div><div>However, rather than the Autosploit author, others should be blamed.&nbsp;</div><div><br /></div><div>Corporations and organizations not following best practices, not updating their devices and exposing themselves to a Shodan scan for this reason, have no one to blame but themselves.</div><div><br /></div><div>We might surely witness an increase in dumb script kiddies arrests, so I strongly advise you not to do anything stupid you might regret one day.</div><div><br /></div><div>Given the political witch-hunt climate, all authorities want is to send some hackers to the stake, so please <i>please</i> think twice before ruining your life.<br /><br /><a href="https://savvygeektips.blogspot.com/2018/01/tips-for-information-security_22.html" target="_blank"><b>Episode 55</b></a> </div></div><div class="blogger-post-footer"><hr />
<a href="http://savvygeektips.blogspot.com>One Tip A Day Tech Blog</a></div><div class="feedflare">
<a href="http://feeds.feedburner.com/~ff/blogspot/HLRhI?a=8D_seFIuEms:br7ngN2Kqig:yIl2AUoC8zA"><img src="http://feeds.feedburner.com/~ff/blogspot/HLRhI?d=yIl2AUoC8zA" border="0"></img></a> <a href="http://feeds.feedburner.com/~ff/blogspot/HLRhI?a=8D_seFIuEms:br7ngN2Kqig:63t7Ie-LG7Y"><img src="http://feeds.feedburner.com/~ff/blogspot/HLRhI?d=63t7Ie-LG7Y" border="0"></img></a> <a href="http://feeds.feedburner.com/~ff/blogspot/HLRhI?a=8D_seFIuEms:br7ngN2Kqig:dnMXMwOfBR0"><img src="http://feeds.feedburner.com/~ff/blogspot/HLRhI?d=dnMXMwOfBR0" border="0"></img></a> <a href="http://feeds.feedburner.com/~ff/blogspot/HLRhI?a=8D_seFIuEms:br7ngN2Kqig:F7zBnMyn0Lo"><img src="http://feeds.feedburner.com/~ff/blogspot/HLRhI?i=8D_seFIuEms:br7ngN2Kqig:F7zBnMyn0Lo" border="0"></img></a> <a href="http://feeds.feedburner.com/~ff/blogspot/HLRhI?a=8D_seFIuEms:br7ngN2Kqig:7Q72WNTAKBA"><img src="http://feeds.feedburner.com/~ff/blogspot/HLRhI?d=7Q72WNTAKBA" border="0"></img></a> <a href="http://feeds.feedburner.com/~ff/blogspot/HLRhI?a=8D_seFIuEms:br7ngN2Kqig:V_sGLiPBpWU"><img src="http://feeds.feedburner.com/~ff/blogspot/HLRhI?i=8D_seFIuEms:br7ngN2Kqig:V_sGLiPBpWU" border="0"></img></a> <a href="http://feeds.feedburner.com/~ff/blogspot/HLRhI?a=8D_seFIuEms:br7ngN2Kqig:qj6IDK7rITs"><img src="http://feeds.feedburner.com/~ff/blogspot/HLRhI?d=qj6IDK7rITs" border="0"></img></a> <a href="http://feeds.feedburner.com/~ff/blogspot/HLRhI?a=8D_seFIuEms:br7ngN2Kqig:gIN9vFwOqvQ"><img src="http://feeds.feedburner.com/~ff/blogspot/HLRhI?i=8D_seFIuEms:br7ngN2Kqig:gIN9vFwOqvQ" border="0"></img></a> <a href="http://feeds.feedburner.com/~ff/blogspot/HLRhI?a=8D_seFIuEms:br7ngN2Kqig:TzevzKxY174"><img src="http://feeds.feedburner.com/~ff/blogspot/HLRhI?d=TzevzKxY174" border="0"></img></a>
</div><img src="http://feeds.feedburner.com/~r/blogspot/HLRhI/~4/8D_seFIuEms" height="1" width="1" alt=""/>http://feedproxy.google.com/~r/blogspot/HLRhI/~3/8D_seFIuEms/tips-for-information-security.htmlnoreply@blogger.com (Mattia Campagnano)0http://savvygeektips.blogspot.com/2018/02/tips-for-information-security.htmltag:blogger.com,1999:blog-2419284614709488194.post-316382683651455025Sat, 10 Feb 2018 00:35:00 +00002018-02-09T19:35:16.563-05:00cybersecuritygeneraltips&tricksWhy I like to post on Peerlyst <a href="https://www.peerlyst.com/?utm_source=mattia-campagnano-13-years-experience-akron-oh" target="_blank">Peerlyst </a>is a focused info sec community where you can meet peers and have a very professional and helpful discussion.<br /><br />I discovered it a while ago and I've become increasingly involved in the platform, abandoning LinkedIn which is no longer helpful to my content anymore.<br /><br />I'm not a marketer and I don't sell stuff.<br /><br />I only try to promote knowledge.<br /><br />I'm not paid to tell you guys this and I do it only because I received a lot of help and useful tips from the community.<br /><br />Therefore, if you want to check it out, there you go.<br /><br />Have a nice weekend, guys!<br /><br /><div class="separator" style="clear: both; text-align: center;"><a href="https://3.bp.blogspot.com/-GelBgAkTpW4/U-Q9n-s0fuI/AAAAAAAACEE/rLfbHF1DAoIrpPD1D7pD28rdUEN910zZgCPcBGAYYCw/s1600/f50268461eb9a0caef874d50b251de87-710065.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="846" data-original-width="917" height="588" src="https://3.bp.blogspot.com/-GelBgAkTpW4/U-Q9n-s0fuI/AAAAAAAACEE/rLfbHF1DAoIrpPD1D7pD28rdUEN910zZgCPcBGAYYCw/s640/f50268461eb9a0caef874d50b251de87-710065.png" width="640" /></a></div><br /><div class="separator" style="clear: both; text-align: center;"><a href="https://1.bp.blogspot.com/-UUcaWYiD_R0/VBZQuY9g0yI/AAAAAAAACTk/6nJe8sZUWYIWaXB1Yn-WfW36qeOLJox4ACPcBGAYYCw/s1600/8b718bc7bbf926ecae72a37f433aefd7-701364.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="401" data-original-width="893" height="286" src="https://1.bp.blogspot.com/-UUcaWYiD_R0/VBZQuY9g0yI/AAAAAAAACTk/6nJe8sZUWYIWaXB1Yn-WfW36qeOLJox4ACPcBGAYYCw/s640/8b718bc7bbf926ecae72a37f433aefd7-701364.png" width="640" /></a></div><br /><div class="separator" style="clear: both; text-align: center;"><a href="https://2.bp.blogspot.com/-8TmGNRCdEsc/VJXgVZI-KHI/AAAAAAAACtY/A9yJVZwmO5oRW9ayx95P1k-TQLD-sYMxgCPcBGAYYCw/s1600/9df650d128c84676ad33da7810a33902-736956.jpeg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="900" data-original-width="1600" height="360" src="https://2.bp.blogspot.com/-8TmGNRCdEsc/VJXgVZI-KHI/AAAAAAAACtY/A9yJVZwmO5oRW9ayx95P1k-TQLD-sYMxgCPcBGAYYCw/s640/9df650d128c84676ad33da7810a33902-736956.jpeg" width="640" /></a></div><br /><div class="blogger-post-footer"><hr />
<a href="http://savvygeektips.blogspot.com>One Tip A Day Tech Blog</a></div><div class="feedflare">
<a href="http://feeds.feedburner.com/~ff/blogspot/HLRhI?a=Go0RbWVBLU0:aBZJioVWwgY:yIl2AUoC8zA"><img src="http://feeds.feedburner.com/~ff/blogspot/HLRhI?d=yIl2AUoC8zA" border="0"></img></a> <a href="http://feeds.feedburner.com/~ff/blogspot/HLRhI?a=Go0RbWVBLU0:aBZJioVWwgY:63t7Ie-LG7Y"><img src="http://feeds.feedburner.com/~ff/blogspot/HLRhI?d=63t7Ie-LG7Y" border="0"></img></a> <a href="http://feeds.feedburner.com/~ff/blogspot/HLRhI?a=Go0RbWVBLU0:aBZJioVWwgY:dnMXMwOfBR0"><img src="http://feeds.feedburner.com/~ff/blogspot/HLRhI?d=dnMXMwOfBR0" border="0"></img></a> <a href="http://feeds.feedburner.com/~ff/blogspot/HLRhI?a=Go0RbWVBLU0:aBZJioVWwgY:F7zBnMyn0Lo"><img src="http://feeds.feedburner.com/~ff/blogspot/HLRhI?i=Go0RbWVBLU0:aBZJioVWwgY:F7zBnMyn0Lo" border="0"></img></a> <a href="http://feeds.feedburner.com/~ff/blogspot/HLRhI?a=Go0RbWVBLU0:aBZJioVWwgY:7Q72WNTAKBA"><img src="http://feeds.feedburner.com/~ff/blogspot/HLRhI?d=7Q72WNTAKBA" border="0"></img></a> <a href="http://feeds.feedburner.com/~ff/blogspot/HLRhI?a=Go0RbWVBLU0:aBZJioVWwgY:V_sGLiPBpWU"><img src="http://feeds.feedburner.com/~ff/blogspot/HLRhI?i=Go0RbWVBLU0:aBZJioVWwgY:V_sGLiPBpWU" border="0"></img></a> <a href="http://feeds.feedburner.com/~ff/blogspot/HLRhI?a=Go0RbWVBLU0:aBZJioVWwgY:qj6IDK7rITs"><img src="http://feeds.feedburner.com/~ff/blogspot/HLRhI?d=qj6IDK7rITs" border="0"></img></a> <a href="http://feeds.feedburner.com/~ff/blogspot/HLRhI?a=Go0RbWVBLU0:aBZJioVWwgY:gIN9vFwOqvQ"><img src="http://feeds.feedburner.com/~ff/blogspot/HLRhI?i=Go0RbWVBLU0:aBZJioVWwgY:gIN9vFwOqvQ" border="0"></img></a> <a href="http://feeds.feedburner.com/~ff/blogspot/HLRhI?a=Go0RbWVBLU0:aBZJioVWwgY:TzevzKxY174"><img src="http://feeds.feedburner.com/~ff/blogspot/HLRhI?d=TzevzKxY174" border="0"></img></a>
</div><img src="http://feeds.feedburner.com/~r/blogspot/HLRhI/~4/Go0RbWVBLU0" height="1" width="1" alt=""/>http://feedproxy.google.com/~r/blogspot/HLRhI/~3/Go0RbWVBLU0/why-i-like-to-post-on-peerlyst.htmlnoreply@blogger.com (Mattia Campagnano)0http://savvygeektips.blogspot.com/2018/02/why-i-like-to-post-on-peerlyst.htmltag:blogger.com,1999:blog-2419284614709488194.post-2008119575807897834Tue, 23 Jan 2018 03:14:00 +00002018-02-10T12:08:25.553-05:00cybersecurityhackingpentestingtips&tricksTips for an Information Security Analyst/Pentester career - Ep. 55: Deception (Honeypots)<div class="ennote"><div>In the last three posts we've dealt with detection of a Meterpreter payload.</div><div><br /></div><div>Let's now see how we can use deception to fool our attackers, by developing a <a href="https://en.wikipedia.org/wiki/Honeypot_(computing)">honeypot</a>&nbsp;(<i>if you don't know what I'm talking about,&nbsp;<span style="font-style: italic;">check the link for a definition of this term</span></i>).</div><div><br /></div><div>For the purposes of this tutorial, I'm going to use a custom Linux distribution based on Xubuntu, called <a href="https://sourceforge.net/projects/honeydrive/">Honeydrive</a>, which includes several honeypots already pre-installed and configured.<br /><br /><iframe allow="autoplay; encrypted-media" allowfullscreen="" frameborder="0" height="315" src="https://www.youtube.com/embed/1aZm9S6dQTY" width="560"></iframe></div><div><br /></div><div>I'm going to analyze a very popular honeypot, called <span style="color: yellow;"><b>Dionaea</b></span>.<br /><br />Once downloaded the OVA file, you can run its related VM through VirtualBox or VMware.&nbsp; </div><div><br /></div><div>Once the VM has booted up, all its configurations are explained in the <span style="color: yellow;"><b>README.txt</b> </span>file, located on the desktop.</div><div><br /></div><div><a href="http://2.bp.blogspot.com/-gyM3q-Oz7T0/WmalxOUxArI/AAAAAAAAFTs/kql0GRh9pEMKScnjkV1N89KfXz10V4iRQCK4BGAYYCw/s1600/84aa0f9409d8113f361d7a6508167af8-746668.png"><img alt="" border="0" height="392" id="BLOGGER_PHOTO_ID_6514076176115368626" src="https://2.bp.blogspot.com/-gyM3q-Oz7T0/WmalxOUxArI/AAAAAAAAFTs/kql0GRh9pEMKScnjkV1N89KfXz10V4iRQCK4BGAYYCw/s640/84aa0f9409d8113f361d7a6508167af8-746668.png" width="640" /></a></div><div>After starting the honeypot by running its start script, I performed an Nmap scan with Kali Linux to understand what it was detected&nbsp; on the other end.</div><div><br /></div><div><i>Problem&nbsp;</i></div><div><br /></div><div>Sadly, the default configuration for Dionaea isn't stealthy enough, and Nmap detected it immediately.</div><div><br /></div><div><a href="http://2.bp.blogspot.com/-zq_yo3YLhRY/Wmalx23qAOI/AAAAAAAAFT0/_fTLxFtBrEwr2nZkqRMXVIU3Tt-Dgo46wCK4BGAYYCw/s1600/1750040fedb3adeadeb028f865341f09-750398.png"><img alt="" border="0" height="372" id="BLOGGER_PHOTO_ID_6514076186999128290" src="https://2.bp.blogspot.com/-zq_yo3YLhRY/Wmalx23qAOI/AAAAAAAAFT0/_fTLxFtBrEwr2nZkqRMXVIU3Tt-Dgo46wCK4BGAYYCw/s640/1750040fedb3adeadeb028f865341f09-750398.png" width="640" /></a></div><div><br /></div><div>Its creator doesn't have time or resources to play this mouse and cheese game between Dionaea and software like Nmap, that constantly updates its signatures.</div><div><br /></div><div><i>Solution</i></div><div><br /></div><div>First thing we want to do is to change the MAC address of the network adapter, so our honeypot doesn't result to be a VM.</div><div><br /></div><div>For this purpose, we need to go<i> Settings/Network Adapter/Advanced Settings</i> (it's pretty much the same both in VMware and VirtualBox).</div><div><br /></div><div>We want to change the first three octets of the MAC address, so that it matches the organization unique identifier for a specific manufacturer, as shown <a href="http://standards-oui.ieee.org/oui/oui.txt">here</a>.</div><div><br /></div><div>We might also want to change the default username and password (<i>honeydrive/honeydrive</i>), as they're too revealing. </div><div><br /></div><div><a href="http://3.bp.blogspot.com/-0VlWkU7N4Xw/WmalylC4QaI/AAAAAAAAFT8/1dS-inKf-4clsPZklQcjfE_TlFw_0aEigCK4BGAYYCw/s1600/3d0f38ab44f658c6259eec171f201109-753154.png"><img alt="" border="0" height="474" id="BLOGGER_PHOTO_ID_6514076199394230690" src="https://3.bp.blogspot.com/-0VlWkU7N4Xw/WmalylC4QaI/AAAAAAAAFT8/1dS-inKf-4clsPZklQcjfE_TlFw_0aEigCK4BGAYYCw/s640/3d0f38ab44f658c6259eec171f201109-753154.png" width="640" /></a></div><div><i><br /></i></div><div><i>Nmap signatures and detection</i></div><div><br /></div><div>The problem with Dionaea can be solved by understanding how Nmap detects a specific service and performing some changes to the honeypot configuration files.</div><div><br /></div><div>First of all, we need to stop the honeypot by killing its related services (<b><span style="color: yellow;">ps -ef | grep -i dionaea | grep -v grep</span> </b>to find the PID of its related services and then<i> kill</i> command to stop them).</div><div><a href="http://1.bp.blogspot.com/-v1H0_mWJHc0/WmalzYOvHkI/AAAAAAAAFUE/agurBxASoHoykpDWuhZ9obPUhor18--pACK4BGAYYCw/s1600/9e6c9da85672274118659ba13a27813f-755841.png"><img alt="" border="0" height="172" id="BLOGGER_PHOTO_ID_6514076213134171714" src="https://1.bp.blogspot.com/-v1H0_mWJHc0/WmalzYOvHkI/AAAAAAAAFUE/agurBxASoHoykpDWuhZ9obPUhor18--pACK4BGAYYCw/s640/9e6c9da85672274118659ba13a27813f-755841.png" width="640" /></a></div><div>&nbsp;We can understand how <i>Nmap</i> detects the services running on the target machine through the command&nbsp;<b><i><span style="color: yellow;">cat /usr/share/nmap/nmap-service-probes | grep -i Dionaea</span></i></b>, which produces the following output:</div><div><b><br /></b></div><div><a href="http://3.bp.blogspot.com/-kCXJUrxCBPk/Wmal0DfaflI/AAAAAAAAFUM/i5hVWb5bHLE-5vI2ieHTG0gU2HuvihQBgCK4BGAYYCw/s1600/d568acc612888526a46bc7934d80741c-758566.png"><img alt="" border="0" height="334" id="BLOGGER_PHOTO_ID_6514076224746847826" src="https://3.bp.blogspot.com/-kCXJUrxCBPk/Wmal0DfaflI/AAAAAAAAFUM/i5hVWb5bHLE-5vI2ieHTG0gU2HuvihQBgCK4BGAYYCw/s640/d568acc612888526a46bc7934d80741c-758566.png" width="640" /></a></div><div><br /></div><div><i>Deception through tweaking</i></div><div><i><br /></i></div><div><i>a) FTP&nbsp;</i></div><div><br /></div><div>Going to <i>/opt/dionaea/lib/dionaea/python/dionaea/ftp.py</i>, we can change the settings related the FTP server.</div><div><br /></div><div>Nmap raises a red flag when it detects a "<span style="color: yellow;"><b>Welcome to the FTP service</b></span>" string, so we can change it to something different. I changed it here to <i>VSFTPD 3.0.3</i><a href="http://3.bp.blogspot.com/-WKsMDjgkKkc/Wmal0_3LmtI/AAAAAAAAFUU/csYDXGe3cXYBoyr6Vc6Uj_lVh9w6femcQCK4BGAYYCw/s1600/bbcaed2e7040fa9413d6014e102f5e35-762152.png"><img alt="" border="0" height="92" id="BLOGGER_PHOTO_ID_6514076240952662738" src="https://3.bp.blogspot.com/-WKsMDjgkKkc/Wmal0_3LmtI/AAAAAAAAFUU/csYDXGe3cXYBoyr6Vc6Uj_lVh9w6femcQCK4BGAYYCw/s640/bbcaed2e7040fa9413d6014e102f5e35-762152.png" width="640" /></a></div><div><br /></div><div><i>b) MS SQL:&nbsp;</i>Going to<span style="font-style: italic;"> </span><span style="font-style: italic;">/opt/dionaea/lib/dionaea/python/dionaea/mssql/mssql.py, </span>we need to change the highlighted string from <span style="color: yellow;"><b>0x00</b></span> to something else.&nbsp;</div><div><br /></div><div><a href="http://2.bp.blogspot.com/-DlTPits0Xj4/Wmal1vIneoI/AAAAAAAAFUc/hbUHgzIU-4w6tY7YDZDhGJfk7qloNXpWgCK4BGAYYCw/s1600/250f235f9417e34112698abef366540f-764735.png"><img alt="" border="0" height="438" id="BLOGGER_PHOTO_ID_6514076253642259074" src="https://2.bp.blogspot.com/-DlTPits0Xj4/Wmal1vIneoI/AAAAAAAAFUc/hbUHgzIU-4w6tY7YDZDhGJfk7qloNXpWgCK4BGAYYCw/s640/250f235f9417e34112698abef366540f-764735.png" width="640" /></a></div><div><br /></div><div><i>c) SMB:&nbsp;</i></div><div><i><span style="font-style: italic;"><br /></span></i></div><div>Going to<span style="font-style: italic;"> /opt/dionaea/lib/dionaea/python/dionaea/smb/include/smbfields.py, </span>we need to change two strings: "WORKGROUP", under <i>OemDomainName </i>and "HOMEUSER-3AF6FE", under <i>ServerName</i>, to something different.</div><div><br /></div><div><a href="http://1.bp.blogspot.com/-vhfBgM2zgYo/Wmal2aA7tfI/AAAAAAAAFUk/TFQvqLm3A7cw5-qCNyDYT6qulG8UPQkdwCK4BGAYYCw/s1600/f3692d2c9eb81f7bfe3d56a1808b79ac-767205.png"><img alt="" border="0" height="434" id="BLOGGER_PHOTO_ID_6514076265152755186" src="https://1.bp.blogspot.com/-vhfBgM2zgYo/Wmal2aA7tfI/AAAAAAAAFUk/TFQvqLm3A7cw5-qCNyDYT6qulG8UPQkdwCK4BGAYYCw/s640/f3692d2c9eb81f7bfe3d56a1808b79ac-767205.png" width="640" /></a></div><div><br /></div><div><br /></div><div><i>d) HTTP</i></div><div><i><br /></i></div><div>I create a default HTML page using source code taken from an existing website.</div><div><br /></div><div>I copied said source code to<b> /opt/dionaea/var/dionaea/wwwroot/index.html.</b></div><div><br /></div><div><a href="http://4.bp.blogspot.com/-PbIaD7aGzjc/Wmal27ZEG9I/AAAAAAAAFUs/Bx1NsJG_vcgmjEquyItbatNnGi4NK8fkACK4BGAYYCw/s1600/e515f654623cc083bda3074239b57f78-769798.png"><img alt="" border="0" height="442" id="BLOGGER_PHOTO_ID_6514076274112338898" src="https://4.bp.blogspot.com/-PbIaD7aGzjc/Wmal27ZEG9I/AAAAAAAAFUs/Bx1NsJG_vcgmjEquyItbatNnGi4NK8fkACK4BGAYYCw/s640/e515f654623cc083bda3074239b57f78-769798.png" width="640" /></a></div><div><br /></div><div><br /></div><div><i>Final result&nbsp;</i></div><div><i><br /></i></div><div>We can now restart our honeypot and perform a new Nmap scan with Kali Linux.</div><div><br /></div><div>This time around, no service is detected as Dionaea honeypot any longer.</div><div><br /></div><div>We're now ready to use our honeypot in order to deceive and study any potential attackers.</div><div><br /></div><div><a href="http://4.bp.blogspot.com/-wQX5AdUa6fM/Wmal3fgCvLI/AAAAAAAAFU0/RSj3jfSnb2wHx3GXaViFVwFPMCZXRZFUQCK4BGAYYCw/s1600/dce6ab72967a8aa86fde3f3d38b43609-772646.png"><img alt="" border="0" height="254" id="BLOGGER_PHOTO_ID_6514076283805285554" src="https://4.bp.blogspot.com/-wQX5AdUa6fM/Wmal3fgCvLI/AAAAAAAAFU0/RSj3jfSnb2wHx3GXaViFVwFPMCZXRZFUQCK4BGAYYCw/s640/dce6ab72967a8aa86fde3f3d38b43609-772646.png" width="640" /></a></div><div><br /></div><div><b><a href="https://savvygeektips.blogspot.com/2018/01/tips-for-information-security_19.html" target="_blank">Episode 54</a></b></div></div><div class="blogger-post-footer"><hr />
<a href="http://savvygeektips.blogspot.com>One Tip A Day Tech Blog</a></div><div class="feedflare">
<a href="http://feeds.feedburner.com/~ff/blogspot/HLRhI?a=HcEmXcZtDsE:StWCHvf8FRE:yIl2AUoC8zA"><img src="http://feeds.feedburner.com/~ff/blogspot/HLRhI?d=yIl2AUoC8zA" border="0"></img></a> <a href="http://feeds.feedburner.com/~ff/blogspot/HLRhI?a=HcEmXcZtDsE:StWCHvf8FRE:63t7Ie-LG7Y"><img src="http://feeds.feedburner.com/~ff/blogspot/HLRhI?d=63t7Ie-LG7Y" border="0"></img></a> <a href="http://feeds.feedburner.com/~ff/blogspot/HLRhI?a=HcEmXcZtDsE:StWCHvf8FRE:dnMXMwOfBR0"><img src="http://feeds.feedburner.com/~ff/blogspot/HLRhI?d=dnMXMwOfBR0" border="0"></img></a> <a href="http://feeds.feedburner.com/~ff/blogspot/HLRhI?a=HcEmXcZtDsE:StWCHvf8FRE:F7zBnMyn0Lo"><img src="http://feeds.feedburner.com/~ff/blogspot/HLRhI?i=HcEmXcZtDsE:StWCHvf8FRE:F7zBnMyn0Lo" border="0"></img></a> <a href="http://feeds.feedburner.com/~ff/blogspot/HLRhI?a=HcEmXcZtDsE:StWCHvf8FRE:7Q72WNTAKBA"><img src="http://feeds.feedburner.com/~ff/blogspot/HLRhI?d=7Q72WNTAKBA" border="0"></img></a> <a href="http://feeds.feedburner.com/~ff/blogspot/HLRhI?a=HcEmXcZtDsE:StWCHvf8FRE:V_sGLiPBpWU"><img src="http://feeds.feedburner.com/~ff/blogspot/HLRhI?i=HcEmXcZtDsE:StWCHvf8FRE:V_sGLiPBpWU" border="0"></img></a> <a href="http://feeds.feedburner.com/~ff/blogspot/HLRhI?a=HcEmXcZtDsE:StWCHvf8FRE:qj6IDK7rITs"><img src="http://feeds.feedburner.com/~ff/blogspot/HLRhI?d=qj6IDK7rITs" border="0"></img></a> <a href="http://feeds.feedburner.com/~ff/blogspot/HLRhI?a=HcEmXcZtDsE:StWCHvf8FRE:gIN9vFwOqvQ"><img src="http://feeds.feedburner.com/~ff/blogspot/HLRhI?i=HcEmXcZtDsE:StWCHvf8FRE:gIN9vFwOqvQ" border="0"></img></a> <a href="http://feeds.feedburner.com/~ff/blogspot/HLRhI?a=HcEmXcZtDsE:StWCHvf8FRE:TzevzKxY174"><img src="http://feeds.feedburner.com/~ff/blogspot/HLRhI?d=TzevzKxY174" border="0"></img></a>
</div><img src="http://feeds.feedburner.com/~r/blogspot/HLRhI/~4/HcEmXcZtDsE" height="1" width="1" alt=""/>http://feedproxy.google.com/~r/blogspot/HLRhI/~3/HcEmXcZtDsE/tips-for-information-security_22.htmlnoreply@blogger.com (Mattia Campagnano)0http://savvygeektips.blogspot.com/2018/01/tips-for-information-security_22.htmltag:blogger.com,1999:blog-2419284614709488194.post-3458278785035876527Sat, 20 Jan 2018 01:22:00 +00002018-01-23T10:45:42.912-05:00About Mecybersecuritygeneraltips&tricksTips for an Information Security Analyst/Pentester career - Ep. 54: (Humble) recommendations to land a job in info sec<div class="ennote"><div>As some of you who follow me closely might know, I recently got a new job as an IT Security Associate, all of a sudden.</div><div><br /></div><div>I'm very excited for this new opportunity and for being able to find a job in my metropolitan area, where info sec positions aren't really all over the place.</div><div><br /></div><div>Regardless of what's round the corner in my professional future, I'll always be grateful to my new employer for giving me a chance after being far from the industry for so long.</div><div><br /></div><div>Jeez, I had almost forgotten that feeling.</div><div><br /></div><div><span style="color: yellow;"><b>The monitors, the SIEM, the logs, the tickets, the challenges… I'm back home, baby.</b></span><a href="http://1.bp.blogspot.com/-WWCtlDtcZOQ/WmKWoDJw48I/AAAAAAAAFTM/ZBtHxyoKASQsn2VvLYl7RGXFH1MhAKGGgCK4BGAYYCw/s1600/911e8cb8eb9002374515b85793333b21-726529.jpeg"><img alt="" border="0" height="324" id="BLOGGER_PHOTO_ID_6512933625916351426" src="https://1.bp.blogspot.com/-WWCtlDtcZOQ/WmKWoDJw48I/AAAAAAAAFTM/ZBtHxyoKASQsn2VvLYl7RGXFH1MhAKGGgCK4BGAYYCw/s640/911e8cb8eb9002374515b85793333b21-726529.jpeg" width="640" /></a></div><div><br /></div><div>Back where I belong.</div><div><br /></div><div>But this post isn't about myself.</div><div><br /></div><div>I don't care for self celebrations, even though I'm very glad right now.</div><div><br /></div><div>I want to talk about my experience to help others land a job in information security because it's way harder than you could think, or rather it's very hard if you do what everybody else does.</div><div><br /></div><div><span style="font-style: italic;">Problems</span></div><div><br /></div><div>I talked about some of these issues in the episode 1 of this series: <a href="https://savvygeektips.blogspot.com/2017/07/tips-for-for-information-security.html">Tips for an Information Security Analyst/Pentester career -Episode 1:General and technical hints</a>&nbsp;(could you guys believe I started out writing this stuff in July?), so please check out my older post for some useful references.</div><div><br /></div><div>I'm adding here a series of additional insights based on the experience I had in over 6 months dealing with recruiters, job interviews that led me nowhere, missed promises, setbacks and disappointments, until I finally saw the light at the end of the tunnel.</div><div><br /></div><div><span style="font-style: italic;">Why you're not getting a job</span></div><div><br /></div><div><ol><li><span style="font-style: italic;">THERE'S NO TRUE ENTRY LEVEL JOBS OUT THERE. THEY DON'T POST THEM: </span>They want experience for you to get experience in the industry. Crazy, right? Well, there's something you can do about this and I'll show you what.</li><li><span style="font-style: italic;">Unrealistic requirements: </span>That's a biggie. Most companies set a list of unrealistic skills and requirements for the job. Yes, you might have sure looked at some of those ads. CISSP cert for an entry level job, why? Because. Because they look for the purple squirrel. Well, they're not gonna find it that way and, in the meantime, you'll be jobless.&nbsp;</li><li><span style="font-style: italic;">Discrimination: </span>Some companies and recruiters would rather call someone who's working already over someone who doesn't have a job in the industry, and the longer you've been unemployed, the bigger the red flag for them. Yes, you heard it right. They bitch about skills shortage and rant because they can't find the right people but they don't want to call who could get hired, why? Because you're a damaged good for them. There must be something wrong with you if you were unemployed for so long. Well, maybe there's something wrong with <span style="font-style: italic;">them.&nbsp;</span>Considering how fast the job market is changing, especially in technology and yet more in information security, job hopping and unemployment periods should be considered as normal. <span style="font-weight: bold;"><span style="color: yellow;">Well, it's not my fault if you guys don't wanna f** hire me</span>. </span>Well, this is part of the&nbsp;problem, but also part of the solution. I'll explain there's something you can do to overcome this.</li><li><span style="font-style: italic;">Some recruiters and corporate HR managers are downright jerks</span>: Some of them are nice and I loved to work with them, but some of them are rude, unprofessional and should seriously consider to switch careers. In December, a company called me for a phone interview, out of the blue, without any notice whatsoever. They grilled me for maybe one hour on technical stuff. I had to answer questions from maybe three or four interviewers. Wtf? Final outcome: I haven't heard back from them so far. Of course, they tell you they'll let you know in two weeks or so, but they mostly don't follow up. Well, that's not the type of company I want to work for. Expect this type of conduct and consider some recruiters, especially if they call you from those body shops based overseas in India or even here in the US, don't act in your best interest. They try to place you somewhere even if you're not qualified, for them to get a fee. Most companies don't even want them to submit candidates. They're a bunch of unprofessional guys and, 99 cases out of 100, you're wasting your time and losing your reputation. With in-person interviews, you might think you did great but then the hiring manager maybe discards you for a stupid half-assed reason you might not even think about. They ask you weird behavioral questions and, if you answer you're the wrong type of tree, you're out. It's true, they must like you. You don't wanna have around someone you don't like, I get it. The fact is you can't please everyone and, for God's sake, shouldn't an interview be about making sure the candidate knows how to get his/her job done in the first place? Then, you can't pretend for anyone to know every possible piece of software. What I don't know I can learn. The truth is companies don't want to train people but they don't even want to pay professionals for what they're worth. That's the reason for all this stale situation.</li><li><span style="font-style: italic;">You got too much competition as an entry level analyst/pentester:</span> Yeah, if you have a limited experience and there's someone with 2-3 years' experience, they'll always choose that candidate over you, and they're right. Experience is invaluable but how do I get it if I can't work in the industry? Well, getting out of this scheme and this box. That's what how they want you to think and that's exactly what you DON'T HAVE to do.</li></ol><div></div><div><span style="font-style: italic;"><br /></span></div><div><a href="http://2.bp.blogspot.com/-Lr0EBxPjNqc/WmKWo38KO0I/AAAAAAAAFTU/-5r7UmALsB4gQXaqRf57WkiHSr3i2gpqQCK4BGAYYCw/s1600/8b9a7c7e1ff41ca5f6c8b13b86bda485-730069.png"><img alt="" border="0" height="386" id="BLOGGER_PHOTO_ID_6512933640086371138" src="https://2.bp.blogspot.com/-Lr0EBxPjNqc/WmKWo38KO0I/AAAAAAAAFTU/-5r7UmALsB4gQXaqRf57WkiHSr3i2gpqQCK4BGAYYCw/s640/8b9a7c7e1ff41ca5f6c8b13b86bda485-730069.png" width="640" /></a></div><div><span style="font-style: italic;"><br /></span></div><div><span style="font-style: italic;">How you can get a job and what you need to do to stand out</span></div><div><br /></div><div><ol><li><span style="font-style: italic;">Network,&nbsp;network, network: </span><span style="color: yellow;"><span style="font-weight: bold;">Jobs are out there, but don't get posted</span></span>. Don't wait for a job posting to come out. If you want to work for a company, network with their recruiters or even better, their CEOs, through LinkedIn. Inquire about suggestions and recommendations on how to break in the info sec field and give them your resume. NEVER ask them for a job directly, unless you're in good terms or interacted with them in the past. Tell them you're willing to help them out even for free because you need to grow professionally. If they're decent human beings, they've been there, too, in the past and can relate to your situation. You might be able to find a mentor and any recommendations or advice are like gold to you. They might also pass your resume to other companies, sometimes. These guys are years ahead of the road, so thank them for their time whatever answer they might give you, even though it's not something you want to hear. Skip postings from websites like Monster and the like. I mean, apply to them, sure, but don't rely on them only.<span style="font-weight: bold;"> <span style="color: orange;">This is a total game changer and is how I got my job</span></span>. Consider that for any of such postings, you'll have a certain number of competitors, who might have higher qualifications and experience than you do. In a situation like mine, instead, there was no such thing. In this case, employers don't have to wait for a set of interviews to be completed or to X-ray all candidates or for a budget to be authorized. It's you and the employers and, if they like you, you're in.</li><li><span style="font-style: italic;">Work on your skills and face your shortcomings: </span>You have to be realistic. If your skills are outdated, you're not gonna find a job. You need to work on your skills and improve constantly, going to the next level. In my previous post, I talked about how to develop technical skills and I refer you to that but in short you should: study, create a virtual lab, take classes, think of certifications and of furthering your education. If you don't know Windows 10, for example, download an ISO, spin up a VM and learn it. THERE'S NO EXCUSE NOWADAYS. I had to learn how to configure a honeypot. Never done before, right? Well, I read about it, I played with it in a VM and here it is, up and running. <span style="color: yellow;"><span style="font-weight: bold;">I also refer here to soft skills. If you're shy and have problems communicating to or talking to people, take public speech classes</span>.</span> I had to take one in my first college semester and it helped me a lot. There's plenty of tutorials online (free of charge or not) for you to be able to communicate effectively, which is paramount in security. You need to relate to customers who mostly got no clue what the hell you're talking about. Make it so easy that even a fifth grader would understand you. Above all, learn how to communicate in a very professional and cautious way, avoiding to come across as snippy, judgmental or to simply unintentionally piss someone off due to an unfit wording.</li><li><span style="font-style: italic;">Volunteer, CREATE EXPERIENCE FROM NOTHING: </span>Volunteer for non-profit organizations, but most of all, if you want to become a pentester, <span style="font-weight: bold;"><span style="color: yellow;">volunteer for a hacking conference. I'm going to volunteer for BSides Columbus and I think it'll be one of the&nbsp;most amazing experiences of my life</span>. </span>You can network with the big guys in the industry, meet potential employers, get closer to the hacker community and create relationships that might help you in the future. Create a tech blog, like I do, create a virtual lab, play with it and tell the world: I DID IT! I shared my experience through my blog not to brag about it (my achievements are really limited compared to where I wanna be), but to prove what I can do beyond words, behavioral questions and meaningless blah blah. MY PHILOSOPHY IS ZERO EXCUSES. There's no job for me out there? Well, I'm gonna create the conditions for a job to pop up for me. I took any advice I received and performed all the needed steps (and much more challenging steps will have to come in the next months) because it's what I need to do. I never blamed anyone for my unemployment. I was focusing on the wrong thing. I was having a bunch of interviews and thinking: well it's only a matter of time. I shouldn't have waited for them, I should've networked more and maybe I'd find an opportunity even earlier. WHAT YOU SHOULD NOT DO IS USING EXCUSES TO JUSTIFY YOUR FAILURE. OWN IT! It's because you made the wrong choices! I went for one of these unsuccessful interviews and there was this guy who had to go in before me and something he said hit me. He said to the recruiter (we were introduced by a temp agency), "<span style="font-style: italic;">they didn't hire me for that position you tried to place me because I didn't know the software x. But how can I know this if I don't get hired?</span>". &nbsp;It hit me, "<span style="font-style: italic;">Because it's the wrong mindset</span>". Don't get me wrong, he was a nice guy and I hope he got that job, but that's the root of the problem. NO EXCUSES: if you know from the posting they want you to know a specific software, you spin a VM and play with it and, if they ask you, you honestly tell them you played with it a little bit and you're anyway willing to learn. Turn it into a positive. GET OUT OF THAT BLACKHOLE.</li><li><span style="font-style: italic;">Be persistent:</span> <span style="color: yellow;"><span style="font-weight: bold;">Keep at it, no matter what</span></span>. There's been a specific day over the latest months when I had three or four rejection emails about interviews I thought I had done great. They came in all around the same time on that specific day. I really felt like crap, it hit me hard, but I didn't allow this to stop me. Even though I thought all I did was pointless, I kept writing, studying, posting, trying, I tried it harder to prove them wrong, with yet greater determination, because I'm the one who decides whether to stop or not. Nothing external can stop me, neither events nor people. I knew that I had to keep going because I was doing the right thing. Someone was looking, it turns out; way more people than I would think possible. I'm grateful for all the support, feedback and recommendations I received over this journey and I want to reciprocate, that's why this post.</li><li><span style="font-style: italic;">Be humble and stay so: </span>No one gives a damn about you, no one knows who you are, what your skills can be nor they care about how awesome you are. You're a darn number, until you deliver something, show something, make a name for yourself. So don't expect for someone to listen to you or give you a job only because you're so amazing or because you have an IT degree. Proven experience is gold in IT and you can be the best in the world, but, if you can't perform the task at hand, you're useless. Then, if you're arrogant, you won't go far. They'll throw you under the bus the first chance they have. Be a team player, especially in the US. Beyond the cliché, it's about being all on the same page, because helping one another goes a long way. If I screw you and you screw me, we all lose. <span style="font-weight: bold;"><span style="color: yellow;">Even when you reach high levels and keep going up, stay humbl</span><span style="color: yellow;">e</span></span><span style="color: yellow;">.</span> My challenge here will be to keep showing my employer not only they made the right choice, but they made the <i>best</i> choice they could have and I need to deliver every day to prove I deserve this. I'm working in a startup, so this is paramount. I was a government employees ages ago. I had to totally change my mindset but there's also pros with working in a startup. At least I have room to express myself. I like LeBron James when he says in North East Ohio nothing is owed, all is granted. That's why he's the best player in the world. I need to thank each and everyone of you for the <span class="atwho-inserted" data-fr-verified="true"></span> and the support you gave me along this long journey. I now landed a new stage of my career<span class="atwho-inserted" data-fr-verified="true"></span>, maybe the most challenging so far, but I'm looking forward to it.</li></ol><a href="https://savvygeektips.blogspot.com/2018/01/tips-for-information-security_22.html" target="_blank"><b>Episode 55</b></a> <br /><ol></ol><a href="https://savvygeektips.blogspot.com/2018/01/tips-for-information-security_12.html" target="_blank"><b>Episode 53 </b></a><br /><ol></ol></div></div></div><div class="blogger-post-footer"><hr />
<a href="http://savvygeektips.blogspot.com>One Tip A Day Tech Blog</a></div><div class="feedflare">
<a href="http://feeds.feedburner.com/~ff/blogspot/HLRhI?a=GGyH1saYNPg:7rpk5Z5gTBo:yIl2AUoC8zA"><img src="http://feeds.feedburner.com/~ff/blogspot/HLRhI?d=yIl2AUoC8zA" border="0"></img></a> <a href="http://feeds.feedburner.com/~ff/blogspot/HLRhI?a=GGyH1saYNPg:7rpk5Z5gTBo:63t7Ie-LG7Y"><img src="http://feeds.feedburner.com/~ff/blogspot/HLRhI?d=63t7Ie-LG7Y" border="0"></img></a> <a href="http://feeds.feedburner.com/~ff/blogspot/HLRhI?a=GGyH1saYNPg:7rpk5Z5gTBo:dnMXMwOfBR0"><img src="http://feeds.feedburner.com/~ff/blogspot/HLRhI?d=dnMXMwOfBR0" border="0"></img></a> <a href="http://feeds.feedburner.com/~ff/blogspot/HLRhI?a=GGyH1saYNPg:7rpk5Z5gTBo:F7zBnMyn0Lo"><img src="http://feeds.feedburner.com/~ff/blogspot/HLRhI?i=GGyH1saYNPg:7rpk5Z5gTBo:F7zBnMyn0Lo" border="0"></img></a> <a href="http://feeds.feedburner.com/~ff/blogspot/HLRhI?a=GGyH1saYNPg:7rpk5Z5gTBo:7Q72WNTAKBA"><img src="http://feeds.feedburner.com/~ff/blogspot/HLRhI?d=7Q72WNTAKBA" border="0"></img></a> <a href="http://feeds.feedburner.com/~ff/blogspot/HLRhI?a=GGyH1saYNPg:7rpk5Z5gTBo:V_sGLiPBpWU"><img src="http://feeds.feedburner.com/~ff/blogspot/HLRhI?i=GGyH1saYNPg:7rpk5Z5gTBo:V_sGLiPBpWU" border="0"></img></a> <a href="http://feeds.feedburner.com/~ff/blogspot/HLRhI?a=GGyH1saYNPg:7rpk5Z5gTBo:qj6IDK7rITs"><img src="http://feeds.feedburner.com/~ff/blogspot/HLRhI?d=qj6IDK7rITs" border="0"></img></a> <a href="http://feeds.feedburner.com/~ff/blogspot/HLRhI?a=GGyH1saYNPg:7rpk5Z5gTBo:gIN9vFwOqvQ"><img src="http://feeds.feedburner.com/~ff/blogspot/HLRhI?i=GGyH1saYNPg:7rpk5Z5gTBo:gIN9vFwOqvQ" border="0"></img></a> <a href="http://feeds.feedburner.com/~ff/blogspot/HLRhI?a=GGyH1saYNPg:7rpk5Z5gTBo:TzevzKxY174"><img src="http://feeds.feedburner.com/~ff/blogspot/HLRhI?d=TzevzKxY174" border="0"></img></a>
</div><img src="http://feeds.feedburner.com/~r/blogspot/HLRhI/~4/GGyH1saYNPg" height="1" width="1" alt=""/>http://feedproxy.google.com/~r/blogspot/HLRhI/~3/GGyH1saYNPg/tips-for-information-security_19.htmlnoreply@blogger.com (Mattia Campagnano)0http://savvygeektips.blogspot.com/2018/01/tips-for-information-security_19.htmltag:blogger.com,1999:blog-2419284614709488194.post-1823313678862284161Fri, 12 Jan 2018 15:37:00 +00002018-02-11T11:48:22.089-05:00cybersecurityforensicshackingpentestingtips&tricksTips for an Information Security Analyst/Pentester career - Ep. 53: Meterpreter detection (pt. 3)<div class="ennote"><div>Let's now continue our analysis of a system compromised by a Meterpreter payload.</div><div><br /></div><div><i>Forensic tools</i></div><div><i><br /></i></div><iframe allow="autoplay; encrypted-media" allowfullscreen="" frameborder="0" height="315" src="https://www.youtube.com/embed/jOvbt7tQ84E" width="560"></iframe> <br /><div>I created a memory dump with OS Forensics and I analyzed it in combination with Volatility. </div><div><br />By copying the Windows standalone executable, available <a href="http://www.volatilityfoundation.org/24">here</a>, to the OS Forensics folder, it is possible to use Volatility inside OS Forensics, as explained in <a href="https://www.osforensics.com/faqs-and-tutorials/using-with-volatility.html">this tutorial</a>.</div><div><br /></div><div><a href="http://1.bp.blogspot.com/-iWgvUkeSxdU/WljUoOwKurI/AAAAAAAAFSU/o23v0WYE4jIs9_sYVwidEZ_A7Jakv7SRgCK4BGAYYCw/s1600/92fb18d69cc922ee8e72ffee75908dc6-736312.png"><img alt="" border="0" height="472" id="BLOGGER_PHOTO_ID_6510187048984033970" src="https://1.bp.blogspot.com/-iWgvUkeSxdU/WljUoOwKurI/AAAAAAAAFSU/o23v0WYE4jIs9_sYVwidEZ_A7Jakv7SRgCK4BGAYYCw/s640/92fb18d69cc922ee8e72ffee75908dc6-736312.png" width="640" /></a></div><div><br /></div><div>However, an analysis with Volatility didn't reveal anything suspicious going on (<i>more details in the embedded video</i>)</div><div><br /></div><div><a href="http://4.bp.blogspot.com/-Zs_uxWpzf7c/WljUo_0OOuI/AAAAAAAAFSc/Hhf7W8pVWFAUhHatemWB_SG1mdkdcVLfgCK4BGAYYCw/s1600/6a1401245d6fc2df28634192d83897f0-741535.png"><img alt="" border="0" height="402" id="BLOGGER_PHOTO_ID_6510187062154377954" src="https://4.bp.blogspot.com/-Zs_uxWpzf7c/WljUo_0OOuI/AAAAAAAAFSc/Hhf7W8pVWFAUhHatemWB_SG1mdkdcVLfgCK4BGAYYCw/s640/6a1401245d6fc2df28634192d83897f0-741535.png" width="640" /></a></div><div><br /></div><div><i>Detection tools</i></div><div><i><br /></i></div><div>As explained in the previous part, neither MS Security Essentials nor other tools had detected anything suspicious, even though I knew there was a payload in memory (I created it!!).</div><div><br /></div><div>Therefore, I used a different<a href="https://github.com/DamonMohammadbagher/Meterpreter_Payload_Detection"> detection tool,</a> along with <a href="https://www.eset.com/us/home/online-scanner/">ESET Online Antivirus Scanner</a>.</div><div><br /></div><div>I had migrated to a system process, after my previous exploit, so I was stealthy.</div><div><br /></div><div>I wanted to see, though, what happened with these two tools when I first hacked into the system, and they both rose to the occasion.</div><div><br /></div><div><span style="color: yellow;"><b>Meterpreter Payload Detection</b></span>&nbsp;tool found my payload in memory and so ESET.</div><div><br /></div><div><a href="http://4.bp.blogspot.com/-QVXYC4byRWE/WljUqPP5G4I/AAAAAAAAFSk/_pxk0ZXM8Z4BkDAqGMl-UTbJVhhlQdEUACK4BGAYYCw/s1600/c0ee872e7961502e3197c9ca5d8eacdd-745331.png"><img alt="" border="0" height="416" id="BLOGGER_PHOTO_ID_6510187083476835202" src="https://4.bp.blogspot.com/-QVXYC4byRWE/WljUqPP5G4I/AAAAAAAAFSk/_pxk0ZXM8Z4BkDAqGMl-UTbJVhhlQdEUACK4BGAYYCw/s640/c0ee872e7961502e3197c9ca5d8eacdd-745331.png" width="640" /></a></div><div><br /></div><div><a href="http://3.bp.blogspot.com/-JeErA6Nq3_A/WljUq9i5tzI/AAAAAAAAFSs/aTd_oECKVUEZxiiDYwmiOQk9gM0pB9pLQCK4BGAYYCw/s1600/89f6942ca2d68fabafb231764bb2e467-749292.png"><img alt="" border="0" height="364" id="BLOGGER_PHOTO_ID_6510187095904597810" src="https://3.bp.blogspot.com/-JeErA6Nq3_A/WljUq9i5tzI/AAAAAAAAFSs/aTd_oECKVUEZxiiDYwmiOQk9gM0pB9pLQCK4BGAYYCw/s640/89f6942ca2d68fabafb231764bb2e467-749292.png" width="640" /></a></div><div><br /></div><div><a href="http://2.bp.blogspot.com/-iqI0BNr1hv4/WljUroM112I/AAAAAAAAFS0/SuNG_FfxvvYgPbd8bs_80umwqeyQYrNuACK4BGAYYCw/s1600/00f9fe2752dfdffad656ea98babd0408-752738.png"><img alt="" border="0" height="476" id="BLOGGER_PHOTO_ID_6510187107354793826" src="https://2.bp.blogspot.com/-iqI0BNr1hv4/WljUroM112I/AAAAAAAAFS0/SuNG_FfxvvYgPbd8bs_80umwqeyQYrNuACK4BGAYYCw/s640/00f9fe2752dfdffad656ea98babd0408-752738.png" width="640" /></a></div><div><br /></div><div><i>Evasion</i></div><div><i><br /></i></div><div>I also used <i>Veil </i>to add another layer of evasion to my payload, but both tools detected it just the same.</div><div><br /></div><div>I had also killed my previously opened Meterpreter sessions, in order to understand how successful my attack would be.</div><div><br /></div><div>Every time Meterpreter tried to open a new session,&nbsp;<span style="color: yellow;"><b>Meterpreter Payload Detection </b></span>blocked the reverse&nbsp;connection and I couldn't pop up a shell.</div><div><br /></div><div>Metasploit simply hung and froze there.</div><div><br /></div><div><a href="http://4.bp.blogspot.com/-I5rEo94RNFQ/WljUs_yGKcI/AAAAAAAAFS8/6bD0I3U6_lg4ziCNWob1z-S90MqbOdZ-ACK4BGAYYCw/s1600/7a554085f45e21ef47cfa73cf21a7965-756294.png"><img alt="" border="0" height="238" id="BLOGGER_PHOTO_ID_6510187130864937410" src="https://4.bp.blogspot.com/-I5rEo94RNFQ/WljUs_yGKcI/AAAAAAAAFS8/6bD0I3U6_lg4ziCNWob1z-S90MqbOdZ-ACK4BGAYYCw/s640/7a554085f45e21ef47cfa73cf21a7965-756294.png" width="640" /></a></div><div><br /></div><div>Extremely frustrating for an attacker/red teamer, but surely good news for a defender/blue teamer.</div><div><br /></div><div><i>Wrap-up</i></div><div><i><br /></i></div><div>As this post and the two previous ones highlight, defenders have to be on top of the attacking techniques for them to recognize certain patterns and signatures and successfully block the attack. It's a cat and mouse game.</div><div><br /></div><div>Defenders try to move the cheese around and attackers try to find a way to go around traps and steal the cheese.</div><div><br /></div><div>I'll probably go back to this topic with more in-depth posts but feel free to comment and provide any feedback you'd feel appropriate and helpful.<br /><br />Of course, malware can become much more sophisticated and dangerous than that.<br /><br />I'd recommend to check out this very good <a href="https://register.gotowebinar.com/register/8284602799833870337?source=t" target="_blank">webinar</a> on AV evasion from Black Hills Cyber Security, for more ideas about this topic (<i>no, John Strand didn't pay me for this. I only happen to deeply respect him and his company</i>).<br /><br /><a href="https://savvygeektips.blogspot.com/2018/01/tips-for-information-security_19.html" target="_blank"><b>Episode 54</b></a><br /><br /><b><a href="https://savvygeektips.blogspot.com/2018/01/tips-for-information-security_10.html" target="_blank">Episode 52 </a></b></div></div><script> (function(i,s,o,g,r,a,m){i['GoogleAnalyticsObject']=r;i[r]=i[r]||function(){ (i[r].q=i[r].q||[]).push(arguments)},i[r].l=1*new Date();a=s.createElement(o), m=s.getElementsByTagName(o)[0];a.async=1;a.src=g;m.parentNode.insertBefore(a,m) })(window,document,'script','//www.google-analytics.com/analytics.js','ga'); ga('create', 'UA-45941375-1', 'savvygeektips.blogspot.com'); ga('send', 'pageview'); </script><div class="blogger-post-footer"><hr />
<a href="http://savvygeektips.blogspot.com>One Tip A Day Tech Blog</a></div><div class="feedflare">
<a href="http://feeds.feedburner.com/~ff/blogspot/HLRhI?a=w3wbpZohxQY:S2J73SJRDeo:yIl2AUoC8zA"><img src="http://feeds.feedburner.com/~ff/blogspot/HLRhI?d=yIl2AUoC8zA" border="0"></img></a> <a href="http://feeds.feedburner.com/~ff/blogspot/HLRhI?a=w3wbpZohxQY:S2J73SJRDeo:63t7Ie-LG7Y"><img src="http://feeds.feedburner.com/~ff/blogspot/HLRhI?d=63t7Ie-LG7Y" border="0"></img></a> <a href="http://feeds.feedburner.com/~ff/blogspot/HLRhI?a=w3wbpZohxQY:S2J73SJRDeo:dnMXMwOfBR0"><img src="http://feeds.feedburner.com/~ff/blogspot/HLRhI?d=dnMXMwOfBR0" border="0"></img></a> <a href="http://feeds.feedburner.com/~ff/blogspot/HLRhI?a=w3wbpZohxQY:S2J73SJRDeo:F7zBnMyn0Lo"><img src="http://feeds.feedburner.com/~ff/blogspot/HLRhI?i=w3wbpZohxQY:S2J73SJRDeo:F7zBnMyn0Lo" border="0"></img></a> <a href="http://feeds.feedburner.com/~ff/blogspot/HLRhI?a=w3wbpZohxQY:S2J73SJRDeo:7Q72WNTAKBA"><img src="http://feeds.feedburner.com/~ff/blogspot/HLRhI?d=7Q72WNTAKBA" border="0"></img></a> <a href="http://feeds.feedburner.com/~ff/blogspot/HLRhI?a=w3wbpZohxQY:S2J73SJRDeo:V_sGLiPBpWU"><img src="http://feeds.feedburner.com/~ff/blogspot/HLRhI?i=w3wbpZohxQY:S2J73SJRDeo:V_sGLiPBpWU" border="0"></img></a> <a href="http://feeds.feedburner.com/~ff/blogspot/HLRhI?a=w3wbpZohxQY:S2J73SJRDeo:qj6IDK7rITs"><img src="http://feeds.feedburner.com/~ff/blogspot/HLRhI?d=qj6IDK7rITs" border="0"></img></a> <a href="http://feeds.feedburner.com/~ff/blogspot/HLRhI?a=w3wbpZohxQY:S2J73SJRDeo:gIN9vFwOqvQ"><img src="http://feeds.feedburner.com/~ff/blogspot/HLRhI?i=w3wbpZohxQY:S2J73SJRDeo:gIN9vFwOqvQ" border="0"></img></a> <a href="http://feeds.feedburner.com/~ff/blogspot/HLRhI?a=w3wbpZohxQY:S2J73SJRDeo:TzevzKxY174"><img src="http://feeds.feedburner.com/~ff/blogspot/HLRhI?d=TzevzKxY174" border="0"></img></a>
</div><img src="http://feeds.feedburner.com/~r/blogspot/HLRhI/~4/w3wbpZohxQY" height="1" width="1" alt=""/>http://feedproxy.google.com/~r/blogspot/HLRhI/~3/w3wbpZohxQY/tips-for-information-security_12.htmlnoreply@blogger.com (Mattia Campagnano)0http://savvygeektips.blogspot.com/2018/01/tips-for-information-security_12.htmltag:blogger.com,1999:blog-2419284614709488194.post-8260821983307755819Thu, 11 Jan 2018 15:46:00 +00002018-05-05T11:03:22.715-04:00cybersecurityhackingpemtestingtips&tricksTips for an Information Security Analyst/Pentester career - Ep. 52: Meterpreter detection (pt. 2)<div class="ennote"><div>Resuming from where we left off in the <a href="https://savvygeektips.blogspot.com/2018/01/tips-for-information-security_7.html" target="_blank">first part</a>, we can now move further with our analysis.</div><div><b><br /></b></div><iframe allow="encrypted-media" allowfullscreen="" frameborder="0" gesture="media" height="315" src="https://www.youtube.com/embed/Jpnpk8tqKuk" width="560"></iframe> <br /><div><i>Windows Event logs analysis</i></div><div><br /></div><div>By filtering the <b>Security</b> log by<i>&nbsp;Critical, <span style="font-style: italic;">Warning</span>&nbsp;</i>and<i> Error</i> entries, I could find an interesting event (ID 1116), related to a Trojan horse detection.</div><div><br /></div><div>No alert had popped up, though, and this is because Ms Security Essentials was stopped, as shown by another event.</div><div><br /></div><div><a href="http://2.bp.blogspot.com/-geVzpUlEQ54/WlWDYve4LDI/AAAAAAAAFRU/0iKIosQJOL8PABT-99zzCS7vPU5JWF3agCK4BGAYYCw/s1600/0a37a8f78d5cdda2c0b68c284e9f0662-732003.png"><img alt="" border="0" height="640" id="BLOGGER_PHOTO_ID_6509253297519995954" src="https://2.bp.blogspot.com/-geVzpUlEQ54/WlWDYve4LDI/AAAAAAAAFRU/0iKIosQJOL8PABT-99zzCS7vPU5JWF3agCK4BGAYYCw/s640/0a37a8f78d5cdda2c0b68c284e9f0662-732003.png" width="638" /></a></div><div><br /><div class="separator" style="clear: both; text-align: center;"><a href="https://3.bp.blogspot.com/-w1ACgSEtmI0/WlWFaxfIBvI/AAAAAAAAFR8/Fn3sJJLFiSMyIC6jVfYib_It7OgRrA9TQCLcBGAs/s1600/Untitled.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="451" data-original-width="966" height="298" src="https://3.bp.blogspot.com/-w1ACgSEtmI0/WlWFaxfIBvI/AAAAAAAAFR8/Fn3sJJLFiSMyIC6jVfYib_It7OgRrA9TQCLcBGAs/s640/Untitled.png" width="640" /></a></div><br /><br /><br /></div><div>Within the filter window, you'll notice an XML tab.</div><div><br /></div><div><a href="http://2.bp.blogspot.com/-CjbeVAdSo7Y/WlWDZyEnviI/AAAAAAAAFRk/bDxKxR6c6_QgZnBYchgV3FLZ1WZ1zl5swCK4BGAYYCw/s1600/b46d37959c0cdac8e40794b54539c449-738276.png"><img alt="" border="0" height="630" id="BLOGGER_PHOTO_ID_6509253315395042850" src="https://2.bp.blogspot.com/-CjbeVAdSo7Y/WlWDZyEnviI/AAAAAAAAFRk/bDxKxR6c6_QgZnBYchgV3FLZ1WZ1zl5swCK4BGAYYCw/s640/b46d37959c0cdac8e40794b54539c449-738276.png" width="640" /></a></div><div><br /></div><div><br /></div><div><i>Filtering event logs with PowerShell&nbsp;</i></div><div><br /></div><div><br /></div><div>By copying the XML code found before, we can leverage PowerShell to return all the events matching that XML code and redirect them to an output file.</div><div><br /></div><div>Now, this isn't very beneficial in this specific case, with 5 such events only, but think of big corporate environments where you have to sift through hundred thousand events.</div><div><br /></div><div>That would definitely give you an edge.</div><div><br /></div><div><a href="http://1.bp.blogspot.com/-6-L8R9nqcLk/WlWDaxma7nI/AAAAAAAAFRs/w-Oda-Js29seZwb1b8tBqb0YbEKvwVgeQCK4BGAYYCw/s1600/4c1ee5e5769fe9d859ecdee11d310dad-740508.png"><img alt="" border="0" height="262" id="BLOGGER_PHOTO_ID_6509253332448243314" src="https://1.bp.blogspot.com/-6-L8R9nqcLk/WlWDaxma7nI/AAAAAAAAFRs/w-Oda-Js29seZwb1b8tBqb0YbEKvwVgeQCK4BGAYYCw/s640/4c1ee5e5769fe9d859ecdee11d310dad-740508.png" width="640" /></a></div><div><br /></div><div><i>Snort signatures<span id="goog_352887938"></span><a href="https://www.blogger.com/"></a><span id="goog_352887939"></span></i></div><div><i><br /></i></div><div>I found some <a href="http://rules.emergingthreats.net/open/snort-2.9.0/emerging-all.rules">signatures</a> related to several security threats online, including Meterpreter signatures.</div><div><br /></div><div>After downloading them, I extracted only the rules related to Meterpreter, through the command <span style="color: yellow;"><b>cat&nbsp;emerging-all.rules | grep -i Meterpreter &gt; meterpreter_rules</b></span></div><div><br /></div><div>Then I installed Snort in a second Kali Linux VM (2017 v 2) and attacked Windows 7 with my Kali 2017 v 3 VM.</div><div><br /></div><div>All I could get was a <i>potentially bad traffic</i> alert.&nbsp;</div><div><br /></div><div>I think I need better rules for that.</div><div><br /></div><div><a href="http://3.bp.blogspot.com/-XT7ZLXEZPH0/WlWDb0AUahI/AAAAAAAAFR0/GngpG0PmAx08KFyrJ2gOdy7RM4wlKr3JACK4BGAYYCw/s1600/0c33da2a21e44d1573eb66147869cda0-744882.png"><img alt="" border="0" height="266" id="BLOGGER_PHOTO_ID_6509253350273608210" src="https://3.bp.blogspot.com/-XT7ZLXEZPH0/WlWDb0AUahI/AAAAAAAAFR0/GngpG0PmAx08KFyrJ2gOdy7RM4wlKr3JACK4BGAYYCw/s640/0c33da2a21e44d1573eb66147869cda0-744882.png" width="640" /></a></div><div><br /></div><div>I'll try yet more advanced stuff in the upcoming post, so stay tuned!<br /><br /><a href="https://www.youtube.com/watch?v=6fbotSZeFkQ&amp;list=PL-giMT7sGCVJQIgB06ock6ptjKvSc-rXc&amp;t=2598s&amp;index=1" target="_blank">External sources</a>&nbsp; <br /><br /><a href="https://savvygeektips.blogspot.com/2018/01/tips-for-information-security_12.html" target="_blank"><b>Episode 53 </b></a><br /><br /><b><a href="https://savvygeektips.blogspot.com/2018/01/tips-for-information-security_7.html" target="_blank">Episode 51&nbsp;&nbsp; </a></b></div></div><script> (function(i,s,o,g,r,a,m){i['GoogleAnalyticsObject']=r;i[r]=i[r]||function(){ (i[r].q=i[r].q||[]).push(arguments)},i[r].l=1*new Date();a=s.createElement(o), m=s.getElementsByTagName(o)[0];a.async=1;a.src=g;m.parentNode.insertBefore(a,m) })(window,document,'script','//www.google-analytics.com/analytics.js','ga'); ga('create', 'UA-45941375-1', 'savvygeektips.blogspot.com'); ga('send', 'pageview'); </script><div class="blogger-post-footer"><hr />
<a href="http://savvygeektips.blogspot.com>One Tip A Day Tech Blog</a></div><div class="feedflare">
<a href="http://feeds.feedburner.com/~ff/blogspot/HLRhI?a=7CZEVHQpscU:hOJ_7ajV0Ss:yIl2AUoC8zA"><img src="http://feeds.feedburner.com/~ff/blogspot/HLRhI?d=yIl2AUoC8zA" border="0"></img></a> <a href="http://feeds.feedburner.com/~ff/blogspot/HLRhI?a=7CZEVHQpscU:hOJ_7ajV0Ss:63t7Ie-LG7Y"><img src="http://feeds.feedburner.com/~ff/blogspot/HLRhI?d=63t7Ie-LG7Y" border="0"></img></a> <a href="http://feeds.feedburner.com/~ff/blogspot/HLRhI?a=7CZEVHQpscU:hOJ_7ajV0Ss:dnMXMwOfBR0"><img src="http://feeds.feedburner.com/~ff/blogspot/HLRhI?d=dnMXMwOfBR0" border="0"></img></a> <a href="http://feeds.feedburner.com/~ff/blogspot/HLRhI?a=7CZEVHQpscU:hOJ_7ajV0Ss:F7zBnMyn0Lo"><img src="http://feeds.feedburner.com/~ff/blogspot/HLRhI?i=7CZEVHQpscU:hOJ_7ajV0Ss:F7zBnMyn0Lo" border="0"></img></a> <a href="http://feeds.feedburner.com/~ff/blogspot/HLRhI?a=7CZEVHQpscU:hOJ_7ajV0Ss:7Q72WNTAKBA"><img src="http://feeds.feedburner.com/~ff/blogspot/HLRhI?d=7Q72WNTAKBA" border="0"></img></a> <a href="http://feeds.feedburner.com/~ff/blogspot/HLRhI?a=7CZEVHQpscU:hOJ_7ajV0Ss:V_sGLiPBpWU"><img src="http://feeds.feedburner.com/~ff/blogspot/HLRhI?i=7CZEVHQpscU:hOJ_7ajV0Ss:V_sGLiPBpWU" border="0"></img></a> <a href="http://feeds.feedburner.com/~ff/blogspot/HLRhI?a=7CZEVHQpscU:hOJ_7ajV0Ss:qj6IDK7rITs"><img src="http://feeds.feedburner.com/~ff/blogspot/HLRhI?d=qj6IDK7rITs" border="0"></img></a> <a href="http://feeds.feedburner.com/~ff/blogspot/HLRhI?a=7CZEVHQpscU:hOJ_7ajV0Ss:gIN9vFwOqvQ"><img src="http://feeds.feedburner.com/~ff/blogspot/HLRhI?i=7CZEVHQpscU:hOJ_7ajV0Ss:gIN9vFwOqvQ" border="0"></img></a> <a href="http://feeds.feedburner.com/~ff/blogspot/HLRhI?a=7CZEVHQpscU:hOJ_7ajV0Ss:TzevzKxY174"><img src="http://feeds.feedburner.com/~ff/blogspot/HLRhI?d=TzevzKxY174" border="0"></img></a>
</div><img src="http://feeds.feedburner.com/~r/blogspot/HLRhI/~4/7CZEVHQpscU" height="1" width="1" alt=""/>http://feedproxy.google.com/~r/blogspot/HLRhI/~3/7CZEVHQpscU/tips-for-information-security_10.htmlnoreply@blogger.com (Mattia Campagnano)0http://savvygeektips.blogspot.com/2018/01/tips-for-information-security_10.htmltag:blogger.com,1999:blog-2419284614709488194.post-6396689816870320233Mon, 08 Jan 2018 13:59:00 +00002018-01-10T10:01:58.666-05:00cybersecurityhackingpentestingtips&tricksTips for an Information Security Analyst/Pentester career - Ep. 51: Meterpreter detection<div class="ennote"><div>So far I've enjoyed playing on the offensive end, by exploiting my VMs through Meterpreter payloads and taking control of them.</div><div><br /></div><div>My ultimate goal is to be a white hacker/red teamer.</div><div><br /></div><div>However, I've been an analyst, too, and you can't be that good as a hacker/pentester/red teamer if you don't understand how to defend against Meterpreter and if you don't know what such an exploit looks like on the victim machine.</div><div><br /></div><div>You can learn how to get stealthier with your attacks.</div><div><br /></div><div>Likewise, you can't be a good analyst/defender/blue teamer if you don't understand what type of artifacts, signatures, patterns or logs you should keep an eye on.<br /><br /></div><iframe allow="encrypted-media" allowfullscreen="" frameborder="0" gesture="media" height="315" src="https://www.youtube.com/embed/dIqFdQGkvJc" width="560"></iframe> <br /><div><br /></div><div>This is a short introduction. I intend to go way deeper into the rabbit hole, leveraging my forensic studies, if I can.</div><div><br /></div><div><span style="font-style: italic;">Scenario: Windows 7 VM exploitation through msfvenom and a reverse shell payload</span></div><div><br /></div><div><span style="font-style: italic; font-weight: bold;">Attack</span></div><div><br /></div><div>I performed a usual exploitation against my Windows 7 machine and I could pop a shell and obtain a privilege escalation.</div><div><br /></div><div>Then I migrated to a system process.</div><div><br /></div><div><a href="http://2.bp.blogspot.com/-x3KW1y0lrlI/WlFYNE5GWDI/AAAAAAAAFQg/iRqSaPoj5AwokeD9aFtqSvoRJFug0cOpQCK4BGAYYCw/s1600/04cb15cc63537524db55b175677401b1-733055.png"><img alt="" border="0" height="395" id="BLOGGER_PHOTO_ID_6508079918201854002" src="https://2.bp.blogspot.com/-x3KW1y0lrlI/WlFYNE5GWDI/AAAAAAAAFQg/iRqSaPoj5AwokeD9aFtqSvoRJFug0cOpQCK4BGAYYCw/s640/04cb15cc63537524db55b175677401b1-733055.png" width="640" /></a></div><div><br /></div><div><span style="font-style: italic; font-weight: bold;">What it looks like on the victim machine</span></div><div><br /></div><div>On the other end, nothing suspicious pops up.</div><div><br /></div><div>However, if we run <span style="color: yellow;"><span style="font-weight: bold;">netstat -abno</span></span> command and redirect it to a text file (much easier to read it this way), we notice a process listening on port 4444 TCP on our Kali machine (notice its IP address).</div><div><br /></div><div>Its PID doesn't look suspicious, but the port number raises a red flag already, because it's the default port used by Meterpreter.</div><div><br /></div><div>Its name looks suspicious as well, even though it results to be a signed Apache bench file.</div><div><br /></div><div><i>Check out the embedded video for more details and a way deeper analysis.</i></div><div><br /></div><div><a href="http://1.bp.blogspot.com/-SZ-pd9x1Zyk/WlFYOAVB5QI/AAAAAAAAFQo/TKQiPlKjj3MZTEYyNu6yhLcEqm4-Eur-ACK4BGAYYCw/s1600/b38968112f1d602806dd127adca6c35f-738105.png"><img alt="" border="0" height="640" id="BLOGGER_PHOTO_ID_6508079934156694786" src="https://1.bp.blogspot.com/-SZ-pd9x1Zyk/WlFYOAVB5QI/AAAAAAAAFQo/TKQiPlKjj3MZTEYyNu6yhLcEqm4-Eur-ACK4BGAYYCw/s640/b38968112f1d602806dd127adca6c35f-738105.png" width="618" /></a></div><div>Other processes associated to Kali are also listening on port 443.</div><div><br /></div><div>One of those is Microsoft Security Essentials, which makes sense because I had migrated to that specific process.&nbsp;</div><div><br /></div><div>The security log shows Ms Security Essentials was, in fact, stopped.</div><div><br /></div><div>I re-exploited the machine by using the same msfvenom payload but this time I didn't migrate to another process, I was a sloppy attacker.</div><div><br /></div><div>After re-running&nbsp;<span style="color: yellow;"><span style="font-weight: bold;">netstat -abno</span></span>, we can now notice an executable called <span style="color: yellow;"><span style="font-weight: bold;">intruder(2).exe</span></span>, our custom payload.</div><div><br /></div><div>You'll notice Kali IP address changed; I had some connectivity problems with my Kali VM that, in the end, led to this.</div><div><br /></div><div>The executable was still running, as a result of my previous attack, before I lost connectivity with my Kali VM (which ended up switching IP addresses from 192.168.1.78 to 192.168.1.64).</div><div><br /></div><div>That's a no-no, as an attacker.</div><div><br /></div><div>You'll also notice another red flag.</div><div><br /></div><div>Processes such as <span style="font-weight: bold;"><span style="color: yellow;">svchost.exe</span> </span>and <span style="color: yellow;"><span style="font-weight: bold;">wininit.exe</span></span>, which should belong to NT AUTHORITY/SYSTEM, return an error message (<span style="font-style: italic;">can not obtain ownership information</span>).</div><div><br /></div><div>I think this is due to the privilege escalation we performed.</div><div><br /></div><div><a href="http://2.bp.blogspot.com/-Z5FT4LRgUpI/WlFYPEqeiMI/AAAAAAAAFQw/t65uQINlMQkT84j_DCmY4MuSxg5PbdPfACK4BGAYYCw/s1600/6c89941e26ba73f333ef128d84e6dec6-742275.png"><img alt="" border="0" height="640" id="BLOGGER_PHOTO_ID_6508079952500263106" src="https://2.bp.blogspot.com/-Z5FT4LRgUpI/WlFYPEqeiMI/AAAAAAAAFQw/t65uQINlMQkT84j_DCmY4MuSxg5PbdPfACK4BGAYYCw/s640/6c89941e26ba73f333ef128d84e6dec6-742275.png" width="526" /></a></div><div><br /></div><div>I migrated to a new process and re-ran the<b> <span style="color: yellow;">netstat -abno</span>&nbsp;</b>command.&nbsp;</div><div><br /></div><div>Now you'll only notice <span style="color: yellow;"><b>svchost.exe</b></span> listening on port 4444 TCP.</div><div><br /></div><div><a href="http://1.bp.blogspot.com/-HV8rtzIIDkU/WlFYQHmZZRI/AAAAAAAAFQ4/MnW_erCCakccBTQA4Q1AgUTD8HHcltiVACK4BGAYYCw/s1600/d2ba4449875c7845976b6d17d82b596e-746228.png"><img alt="" border="0" height="78" id="BLOGGER_PHOTO_ID_6508079970468324626" src="https://1.bp.blogspot.com/-HV8rtzIIDkU/WlFYQHmZZRI/AAAAAAAAFQ4/MnW_erCCakccBTQA4Q1AgUTD8HHcltiVACK4BGAYYCw/s640/d2ba4449875c7845976b6d17d82b596e-746228.png" width="640" /></a></div><div><br /></div><div>I ran a Virustotal scan against <span style="font-style: italic;">svchost.exe</span>, where I had injected my executable in, and no malware was detected.</div><div><br /></div><div>However, I performed a scan with two different tools: <span style="color: yellow;"><b>Antimeter</b></span> and <span style="color: yellow;"><b>Anti-Pwny</b></span>, available <a href="http://www88.zippyshare.com/v/t6FjCuTR/file.html">here</a>.</div><div><br /></div><div>This time around, <span style="color: yellow;"><b>Antimeter</b></span> found my Meterpreter payload running in memory (I should have killed it from Kali) and stopped it.</div><div><br /></div><div><a href="http://1.bp.blogspot.com/-UGRwDM-g9-8/WlFYXvUTsvI/AAAAAAAAFRA/jNaFER_eL2oKxL4LCcmBIWPUgw4oSajxgCK4BGAYYCw/s1600/1c785cc34561cdcf9409ca6d8994a569-749778.png"><img alt="" border="0" height="204" id="BLOGGER_PHOTO_ID_6508080101388956402" src="https://1.bp.blogspot.com/-UGRwDM-g9-8/WlFYXvUTsvI/AAAAAAAAFRA/jNaFER_eL2oKxL4LCcmBIWPUgw4oSajxgCK4BGAYYCw/s640/1c785cc34561cdcf9409ca6d8994a569-749778.png" width="640" /></a></div><div><br /></div><div>When it did so, my session died immediately.</div><div><br /></div><div><span style="font-style: italic;">More considerations&nbsp;</span></div><div><br /></div><div>In addition to the above considerations, an analyst should monitor the client for processes that shouldn't be there in the first place, or don't make any sense for the specific client configuration.</div><div><br /></div><div>Why should a standard user run Powershell, for example?</div><div><br /></div><div>Or, why should a computer not belonging to an administrator run&nbsp;Windows Remote Management?</div><div><br /></div><div>Windows Remote Management can be leveraged for a specific Meterpreter attack, as explained in this<a href="https://www.trustedsec.com/2017/09/using-winrm-meterpreter/"> TrustedSec blog post</a>.</div><div><br /></div><div>I'm gonna delve more into that by analyzing how to monitor network traffic with Powershell and, if I can, how to decrypt the SSL traffic generated by Meterpreter in order to look into it and check that traffic against some custom signatures.</div><div><br /></div><div>I'm also going to check for a Meterpreter shell with Snort rules.</div><div><br /></div><div>Stay tuned for the next part.<br /><br /><a href="https://savvygeektips.blogspot.com/2018/01/tips-for-information-security_10.html" target="_blank"><b>Episode 52 </b></a><br /><br /><b><a href="https://savvygeektips.blogspot.com/2018/01/tips-for-information-security_3.html" target="_blank">Episode 50 </a></b></div><div><br /></div></div><script> (function(i,s,o,g,r,a,m){i['GoogleAnalyticsObject']=r;i[r]=i[r]||function(){ (i[r].q=i[r].q||[]).push(arguments)},i[r].l=1*new Date();a=s.createElement(o), m=s.getElementsByTagName(o)[0];a.async=1;a.src=g;m.parentNode.insertBefore(a,m) })(window,document,'script','//www.google-analytics.com/analytics.js','ga'); ga('create', 'UA-45941375-1', 'savvygeektips.blogspot.com'); ga('send', 'pageview'); </script><div class="blogger-post-footer"><hr />
<a href="http://savvygeektips.blogspot.com>One Tip A Day Tech Blog</a></div><div class="feedflare">
<a href="http://feeds.feedburner.com/~ff/blogspot/HLRhI?a=b1XbImZjv4M:JOZtaoWSakQ:yIl2AUoC8zA"><img src="http://feeds.feedburner.com/~ff/blogspot/HLRhI?d=yIl2AUoC8zA" border="0"></img></a> <a href="http://feeds.feedburner.com/~ff/blogspot/HLRhI?a=b1XbImZjv4M:JOZtaoWSakQ:63t7Ie-LG7Y"><img src="http://feeds.feedburner.com/~ff/blogspot/HLRhI?d=63t7Ie-LG7Y" border="0"></img></a> <a href="http://feeds.feedburner.com/~ff/blogspot/HLRhI?a=b1XbImZjv4M:JOZtaoWSakQ:dnMXMwOfBR0"><img src="http://feeds.feedburner.com/~ff/blogspot/HLRhI?d=dnMXMwOfBR0" border="0"></img></a> <a href="http://feeds.feedburner.com/~ff/blogspot/HLRhI?a=b1XbImZjv4M:JOZtaoWSakQ:F7zBnMyn0Lo"><img src="http://feeds.feedburner.com/~ff/blogspot/HLRhI?i=b1XbImZjv4M:JOZtaoWSakQ:F7zBnMyn0Lo" border="0"></img></a> <a href="http://feeds.feedburner.com/~ff/blogspot/HLRhI?a=b1XbImZjv4M:JOZtaoWSakQ:7Q72WNTAKBA"><img src="http://feeds.feedburner.com/~ff/blogspot/HLRhI?d=7Q72WNTAKBA" border="0"></img></a> <a href="http://feeds.feedburner.com/~ff/blogspot/HLRhI?a=b1XbImZjv4M:JOZtaoWSakQ:V_sGLiPBpWU"><img src="http://feeds.feedburner.com/~ff/blogspot/HLRhI?i=b1XbImZjv4M:JOZtaoWSakQ:V_sGLiPBpWU" border="0"></img></a> <a href="http://feeds.feedburner.com/~ff/blogspot/HLRhI?a=b1XbImZjv4M:JOZtaoWSakQ:qj6IDK7rITs"><img src="http://feeds.feedburner.com/~ff/blogspot/HLRhI?d=qj6IDK7rITs" border="0"></img></a> <a href="http://feeds.feedburner.com/~ff/blogspot/HLRhI?a=b1XbImZjv4M:JOZtaoWSakQ:gIN9vFwOqvQ"><img src="http://feeds.feedburner.com/~ff/blogspot/HLRhI?i=b1XbImZjv4M:JOZtaoWSakQ:gIN9vFwOqvQ" border="0"></img></a> <a href="http://feeds.feedburner.com/~ff/blogspot/HLRhI?a=b1XbImZjv4M:JOZtaoWSakQ:TzevzKxY174"><img src="http://feeds.feedburner.com/~ff/blogspot/HLRhI?d=TzevzKxY174" border="0"></img></a>
</div><img src="http://feeds.feedburner.com/~r/blogspot/HLRhI/~4/b1XbImZjv4M" height="1" width="1" alt=""/>http://feedproxy.google.com/~r/blogspot/HLRhI/~3/b1XbImZjv4M/tips-for-information-security_7.htmlnoreply@blogger.com (Mattia Campagnano)0http://savvygeektips.blogspot.com/2018/01/tips-for-information-security_7.htmltag:blogger.com,1999:blog-2419284614709488194.post-6949762809980604194Wed, 03 Jan 2018 23:18:00 +00002018-01-08T08:41:49.144-05:00cybersecurityhackingpentestingshelltips&tricksTips for an Information Security Analyst/Pentester career - Ep. 50: Bash for defensive/offensive security<div class="ennote"><div>When it comes down both to defensive and offensive security, you mostly hear about popular languages such as Python or Ruby, which makes sense, because they're very powerful.</div><div><br /></div><div>However, people often forget about another important one: Bash.</div><div><br /></div><div>Bash is readily available in UNIX/Linux systems and also for Windows 10 (natively, if you install the Windows Subsystem for Linux, or through something like Cygwin) and for previous Windows versions (through Cygwin and other third-party tools).</div><div><br /></div><div>Bash leverages native UNIX/Linux system commands, so, if you're comfortable with them, you don't need to learn a specific language to write a script.</div><div><br /></div><div>Nonetheless it's very powerful, too.</div><div><br /></div><div>Here I'm not going to teach a basic Bash class, nor I'm covering its basics.</div><div><br /></div><div>If you started reading this post and you have zero knowledge of this topic, I recommend you to check out this very exhaustive and clear <a href="http://tldp.org/LDP/Bash-Beginners-Guide/html/">beginner level guide</a>&nbsp;first and then go back here.<br /><br /></div><iframe allow="encrypted-media" allowfullscreen="" frameborder="0" gesture="media" height="315" src="https://www.youtube.com/embed/50Xhg8NHGNM" width="560"></iframe> <br /><div></div><div><span style="color: yellow;"><b><i>Practical</i></b><i><b>&nbsp;examples</b></i></span></div><div><i><b><br /></b></i></div><div><b>a)&nbsp;<a href="https://github.com/matticamp/peoplefinder"><i>peoplefinder.bash</i></a></b></div><div><br /></div><div>As a first example, I'm going to analyze a script I wrote a while ago to perform reconnaissance on people.</div><div><br /></div><div>The script prompts the user for the first name and last name of the person we want to investigate about, stores them to two variables and then returns a series of results by automatically populating a list of specialized search engines.</div><div><br /></div><div><a href="http://2.bp.blogspot.com/-DHyZHvtldEQ/Wk1fnkoQwVI/AAAAAAAAFPE/Rgra1ke5E-wPGARna9K65jEfXpttPaAmwCK4BGAYYCw/s1600/f5abca580e8d2ad3e39af459843fc48a-787489.png"><img alt="" border="0" height="296" id="BLOGGER_PHOTO_ID_6506962170072318290" src="https://2.bp.blogspot.com/-DHyZHvtldEQ/Wk1fnkoQwVI/AAAAAAAAFPE/Rgra1ke5E-wPGARna9K65jEfXpttPaAmwCK4BGAYYCw/s640/f5abca580e8d2ad3e39af459843fc48a-787489.png" width="640" /></a></div><div><br /></div><div></div><div><br /></div><div>You'll notice how fast we get the results back and how much time the script saves us.&nbsp;</div><div><br /></div><div>Instead of having to manually open a series of webpages, one by one, enter a search string and wait for results to be returned, the script performs all these operations automatically for us.</div><div><br /></div><div><i><b>b) <a href="https://github.com/matticamp/iprecon/blob/master/iprecon.bash">iprecon.bash</a></b></i></div><div><br /></div><div>This time we're going to create a script together.</div><div><br /></div><div>This script will grab an IP address from the user, will validate it and perform a series a commands storing their outputs to an output file.</div><div><br /></div><div>I had already solved the problem related to the IP validation within another script I had created a while ago, called i<a href="https://github.com/matticamp/ipchecker.github.io">pchecker.bash</a>, so I used it as a skeleton for this new script.</div><div><br /></div><div><a href="http://3.bp.blogspot.com/-PQxJhL2glrU/Wk1foTL-PLI/AAAAAAAAFPM/LxK_TbMTuV8CKCRrv9dnr3AaDqF_9Z9ZQCK4BGAYYCw/s1600/6bec172cabbf25e960b451f89780a4d6-791818.png"><img alt="" border="0" height="56" id="BLOGGER_PHOTO_ID_6506962182570130610" src="https://3.bp.blogspot.com/-PQxJhL2glrU/Wk1foTL-PLI/AAAAAAAAFPM/LxK_TbMTuV8CKCRrv9dnr3AaDqF_9Z9ZQCK4BGAYYCw/s640/6bec172cabbf25e960b451f89780a4d6-791818.png" width="640" /></a></div><div><br /></div><div>There's no need for reinventing the wheel in information security.</div><div><br /></div><div>The script grabs an IP address from the user and performs <i>nslookup, dig, whois </i>and<i> host </i>commands, redirecting their output to a file <i>(for more details, check out the embedded video</i>).</div><div><br /></div><div>The user indicates a name for this file, which is stored in a variable called <i>output.</i></div><div><br /></div><div>I introduced a 2-second pause between each individual command, so that each one will exit nicely.</div><div><br /></div><div>At the end of the day, though, I realized that having the output from four commands stored in a single file wasn't a very good idea.</div><div><br /></div><div>It was too bulky and poorly readable.</div><div><br /></div><div>Therefore, I decided to create four individual output files, one for each command, and four different output variables, accordingly.</div><div><br /></div><div><a href="http://2.bp.blogspot.com/-nGrfcaa-jPE/Wk1fpCjqHxI/AAAAAAAAFPU/Kvhxmw9iDQEBUwYVpwy-TzOONnKMsemsQCK4BGAYYCw/s1600/1efb3e5dd1e348d68feafa8127b519d9-794916.png"><img alt="" border="0" height="448" id="BLOGGER_PHOTO_ID_6506962195285942034" src="https://2.bp.blogspot.com/-nGrfcaa-jPE/Wk1fpCjqHxI/AAAAAAAAFPU/Kvhxmw9iDQEBUwYVpwy-TzOONnKMsemsQCK4BGAYYCw/s640/1efb3e5dd1e348d68feafa8127b519d9-794916.png" width="640" /></a></div><div>The final result is much more readable, but is open to more improvements, so feel free to provide me with any feedback about it.</div><div><br /></div><div>You can check the source code on Github and we might say you guys helped me create a Bash script, how about that?<br /><div style="text-align: center;"><br /></div><div style="text-align: center;"><b><a href="https://github.com/matticamp/iprecon/blob/master/iprecon.bash" target="_blank">Source code</a></b> </div><br /><div style="text-align: center;"><a href="https://www.youtube.com/watch?v=smbeKPDVs2I" target="_blank">External sources&nbsp;</a><br /><br /><div style="text-align: left;"><b><a href="https://savvygeektips.blogspot.com/2018/01/tips-for-information-security_7.html" target="_blank">Episode 51 </a></b></div></div><div style="text-align: center;"><br /></div><div style="text-align: left;"><a href="https://savvygeektips.blogspot.com/2018/01/tips-for-information-security.html" target="_blank"><b>Episode 49</b> </a></div></div></div><script> (function(i,s,o,g,r,a,m){i['GoogleAnalyticsObject']=r;i[r]=i[r]||function(){ (i[r].q=i[r].q||[]).push(arguments)},i[r].l=1*new Date();a=s.createElement(o), m=s.getElementsByTagName(o)[0];a.async=1;a.src=g;m.parentNode.insertBefore(a,m) })(window,document,'script','//www.google-analytics.com/analytics.js','ga'); ga('create', 'UA-45941375-1', 'savvygeektips.blogspot.com'); ga('send', 'pageview'); </script><div class="blogger-post-footer"><hr />
<a href="http://savvygeektips.blogspot.com>One Tip A Day Tech Blog</a></div><div class="feedflare">
<a href="http://feeds.feedburner.com/~ff/blogspot/HLRhI?a=ozXJQJX0QoA:7ObZ0rdf0go:yIl2AUoC8zA"><img src="http://feeds.feedburner.com/~ff/blogspot/HLRhI?d=yIl2AUoC8zA" border="0"></img></a> <a href="http://feeds.feedburner.com/~ff/blogspot/HLRhI?a=ozXJQJX0QoA:7ObZ0rdf0go:63t7Ie-LG7Y"><img src="http://feeds.feedburner.com/~ff/blogspot/HLRhI?d=63t7Ie-LG7Y" border="0"></img></a> <a href="http://feeds.feedburner.com/~ff/blogspot/HLRhI?a=ozXJQJX0QoA:7ObZ0rdf0go:dnMXMwOfBR0"><img src="http://feeds.feedburner.com/~ff/blogspot/HLRhI?d=dnMXMwOfBR0" border="0"></img></a> <a href="http://feeds.feedburner.com/~ff/blogspot/HLRhI?a=ozXJQJX0QoA:7ObZ0rdf0go:F7zBnMyn0Lo"><img src="http://feeds.feedburner.com/~ff/blogspot/HLRhI?i=ozXJQJX0QoA:7ObZ0rdf0go:F7zBnMyn0Lo" border="0"></img></a> <a href="http://feeds.feedburner.com/~ff/blogspot/HLRhI?a=ozXJQJX0QoA:7ObZ0rdf0go:7Q72WNTAKBA"><img src="http://feeds.feedburner.com/~ff/blogspot/HLRhI?d=7Q72WNTAKBA" border="0"></img></a> <a href="http://feeds.feedburner.com/~ff/blogspot/HLRhI?a=ozXJQJX0QoA:7ObZ0rdf0go:V_sGLiPBpWU"><img src="http://feeds.feedburner.com/~ff/blogspot/HLRhI?i=ozXJQJX0QoA:7ObZ0rdf0go:V_sGLiPBpWU" border="0"></img></a> <a href="http://feeds.feedburner.com/~ff/blogspot/HLRhI?a=ozXJQJX0QoA:7ObZ0rdf0go:qj6IDK7rITs"><img src="http://feeds.feedburner.com/~ff/blogspot/HLRhI?d=qj6IDK7rITs" border="0"></img></a> <a href="http://feeds.feedburner.com/~ff/blogspot/HLRhI?a=ozXJQJX0QoA:7ObZ0rdf0go:gIN9vFwOqvQ"><img src="http://feeds.feedburner.com/~ff/blogspot/HLRhI?i=ozXJQJX0QoA:7ObZ0rdf0go:gIN9vFwOqvQ" border="0"></img></a> <a href="http://feeds.feedburner.com/~ff/blogspot/HLRhI?a=ozXJQJX0QoA:7ObZ0rdf0go:TzevzKxY174"><img src="http://feeds.feedburner.com/~ff/blogspot/HLRhI?d=TzevzKxY174" border="0"></img></a>
</div><img src="http://feeds.feedburner.com/~r/blogspot/HLRhI/~4/ozXJQJX0QoA" height="1" width="1" alt=""/>http://feedproxy.google.com/~r/blogspot/HLRhI/~3/ozXJQJX0QoA/tips-for-information-security_3.htmlnoreply@blogger.com (Mattia Campagnano)0http://savvygeektips.blogspot.com/2018/01/tips-for-information-security_3.htmltag:blogger.com,1999:blog-2419284614709488194.post-7810426528187629213Tue, 02 Jan 2018 14:05:00 +00002018-01-08T09:07:25.216-05:00cybersecurityhackingpentestingtips&tricksTips for an Information Security Analyst/Pentester career - Ep. 49: Web app pentesting (pt. 2)<div class="ennote"><div>With this post, we're going to see an example of cross site scripting and browser exploitation.</div><div><br /></div><div><a href="https://en.wikipedia.org/wiki/Cross-site_scripting">Cross site scripting</a>,&nbsp;a.k.a. XSS, is a very dangerous vulnerability in web applications that "<span style="font-style: italic;">enables attackers to inject client-side scripts into web pages viewed by other users. A cross-site scripting vulnerability may be used by attackers to bypass access controls such as the same-origin policy</span>".</div><div><br /></div><div>As a side note, the XSS acronym is used to designate this vulnerability in order to distinguish it from <a href="https://en.wikipedia.org/wiki/Cascading_Style_Sheets">CSS</a> (Cascading Style Sheets), which is a programming language used for web design.</div><div><br /></div><iframe allow="encrypted-media" allowfullscreen="" frameborder="0" gesture="media" height="315" src="https://www.youtube.com/embed/SpbQp12LoRk" width="560"></iframe> <br /><div><br /></div></div>XSS attacks can be distinguished in two different categories: <span style="color: yellow;"><b>reflected XSS</b></span> and <b><span style="color: yellow;">stored XSS</span></b>.<br /><br />For a definition of these two types of attacks and the difference between them, I'll refer you to <a href="https://www.owasp.org/index.php/Cross-site_Scripting_(XSS)" target="_blank">this page</a>.<br /><br /><span style="font-style: italic;">Basic example of a reflected XSS attack</span><br /><div><br /></div><div>In order to demonstrate this vulnerability, I'm going to use a vulnerable web application available for Windows 7 that can be installed by using the additional files attached to <a href="https://www.amazon.com/Penetration-Testing-Hands-Introduction-Hacking/dp/1593275641">Georgia Weidman's book</a>.</div><div><br /></div><div>This web application, called <span style="font-style: italic;">Bookservice,</span> has an input field that can easily be exploited.</div><div><br /></div><div>So, I entered a JavaScript in it allowing me to display a pop-up window.&nbsp;</div><div><br /></div><div><b>PWNED!!</b></div><div><br /></div><div><a href="http://1.bp.blogspot.com/-AWre4vhe440/WkptHKDYO3I/AAAAAAAAFNc/IR_s0Unp0YkUp9jJbSNUsb68QMPdr5WVgCK4BGAYYCw/s1600/3629cbfed6f6b392490df8e20cb087e6-734468.png"><img alt="" border="0" height="640" id="BLOGGER_PHOTO_ID_6506132581415140210" src="https://1.bp.blogspot.com/-AWre4vhe440/WkptHKDYO3I/AAAAAAAAFNc/IR_s0Unp0YkUp9jJbSNUsb68QMPdr5WVgCK4BGAYYCw/s640/3629cbfed6f6b392490df8e20cb087e6-734468.png" width="534" /></a></div><div><br /></div><div><a href="http://4.bp.blogspot.com/-2C7NCBhtQzM/WkptHzcElUI/AAAAAAAAFNk/hv1rLkI_ObIYtEjoxnOfbK1rm9soWgeSwCK4BGAYYCw/s1600/7187d1d5e104a2d27fe03d08a306f4d5-737423.png"><img alt="" border="0" height="300" id="BLOGGER_PHOTO_ID_6506132592524563778" src="https://4.bp.blogspot.com/-2C7NCBhtQzM/WkptHzcElUI/AAAAAAAAFNk/hv1rLkI_ObIYtEjoxnOfbK1rm9soWgeSwCK4BGAYYCw/s640/7187d1d5e104a2d27fe03d08a306f4d5-737423.png" width="640" /></a></div><div><span style="font-style: italic;">Advanced browser exploitation</span></div><div><br /></div><div>We can do much more than displaying a pop-up alert, though.</div><div><br /></div><div>We can completely take control of the victim's browser by using a tool called <b>BeEF</b> (<span style="font-style: italic;">browser exploitation framework</span>), freely available in Kali Linux.</div><div><br /></div><div>This tool starts up a control panel (accessible through default credentials <i>beef/beef</i> for username and password) allowing to take control of the victim's browser and do pretty much whatever you want.</div><div><br /></div><div>All we need to do is to redirect the target to a webpage containing a malicious JavaScript that hooks its browser (this script is shown&nbsp;in the output displayed below, under <i>Hook:</i>&nbsp;and <i>Example:</i>).<br /><br /><div class="separator" style="clear: both; text-align: center;"><a href="https://3.bp.blogspot.com/-Z-3mxoice6w/Wkq-vW7prdI/AAAAAAAAFOw/uljhekVolYUcEEL2WLPybjmLeIWDzAltQCLcBGAs/s1600/Untitled.png" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" data-original-height="250" data-original-width="250" src="https://3.bp.blogspot.com/-Z-3mxoice6w/Wkq-vW7prdI/AAAAAAAAFOw/uljhekVolYUcEEL2WLPybjmLeIWDzAltQCLcBGAs/s1600/Untitled.png" /></a></div></div><div><br /></div><div><a href="http://4.bp.blogspot.com/-HwT3Ixkb-KM/WkptJEmbKnI/AAAAAAAAFN0/mnuWMDzKr28SE1tKGNy8HlhsRIm1yvFHwCK4BGAYYCw/s1600/a7c2b44045e259b4b6780bc6ae8a28cb-742259.png"><img alt="" border="0" height="178" id="BLOGGER_PHOTO_ID_6506132614311258738" src="https://4.bp.blogspot.com/-HwT3Ixkb-KM/WkptJEmbKnI/AAAAAAAAFN0/mnuWMDzKr28SE1tKGNy8HlhsRIm1yvFHwCK4BGAYYCw/s640/a7c2b44045e259b4b6780bc6ae8a28cb-742259.png" width="640" /></a></div><div><br /></div><div>When you access the control panel, the framework shows you a series of instructions about the commands you can run against the victim's browser.</div><div><br /></div><div><a href="http://3.bp.blogspot.com/-LqSUifWgq3s/WkptJnnUiDI/AAAAAAAAFN8/mMpYznd478EbmH_FIkKEmxfgAZ4hneQsQCK4BGAYYCw/s1600/dc9877f4ff25d52e082eb108b2ae20e6-744946.png"><img alt="" border="0" height="330" id="BLOGGER_PHOTO_ID_6506132623710259250" src="https://3.bp.blogspot.com/-LqSUifWgq3s/WkptJnnUiDI/AAAAAAAAFN8/mMpYznd478EbmH_FIkKEmxfgAZ4hneQsQCK4BGAYYCw/s640/dc9877f4ff25d52e082eb108b2ae20e6-744946.png" width="640" /></a></div><div>When you successfully hooked a browser, the IP address for the victim machine will appear under <i>Online Browsers</i>.</div><div><br /></div><div>I could successfully exploit DVWA in a Windows 7 virtual machine by leveraging the example script in a vulnerable input field, performing a <span style="color: yellow;"><b>stored cross site scripting attack</b></span>.</div><div><br /></div><div>I only needed to switch the localhost IP address with the IP address for my attacking machine, as shown below.</div><div><a href="http://4.bp.blogspot.com/-U99iImp2mRQ/WkptKNp_Q7I/AAAAAAAAFOE/JclqxyCdxoQIUZDQN696WAQn29MPMFdRgCK4BGAYYCw/s1600/a62c14afa07a4f54ee25cc2a70305d4a-747322.png"><img alt="" border="0" height="386" id="BLOGGER_PHOTO_ID_6506132633921995698" src="https://4.bp.blogspot.com/-U99iImp2mRQ/WkptKNp_Q7I/AAAAAAAAFOE/JclqxyCdxoQIUZDQN696WAQn29MPMFdRgCK4BGAYYCw/s640/a62c14afa07a4f54ee25cc2a70305d4a-747322.png" width="640" /></a></div><div><br /></div><div><a href="http://3.bp.blogspot.com/-PvLMAzOIrsY/WkptK87vQ4I/AAAAAAAAFOM/LW-wOxUHLWA-HRiz84LnhNtmUhZJbYR-ACK4BGAYYCw/s1600/5f2080fdbbfc8ceed939c589e58f9f07-749571.png"><img alt="" border="0" height="318" id="BLOGGER_PHOTO_ID_6506132646612910978" src="https://3.bp.blogspot.com/-PvLMAzOIrsY/WkptK87vQ4I/AAAAAAAAFOM/LW-wOxUHLWA-HRiz84LnhNtmUhZJbYR-ACK4BGAYYCw/s640/5f2080fdbbfc8ceed939c589e58f9f07-749571.png" width="640" /></a></div><div><br /></div><div>Now that we took control of the browser, we can do pretty much whatever we want with it.</div><div><br /></div><div>To have a complete overview of what we can do, we need to go to the<i> Commands</i> tab.</div><div><br /></div><div><a href="http://4.bp.blogspot.com/-0GiiLMF_4qA/WkptLe9mPwI/AAAAAAAAFOU/HUFx6WLCD0kRpXNwS1OqEYsUAnEZK-WNACK4BGAYYCw/s1600/41ac33c627b7842df63cb40a070eac42-752022.png"><img alt="" border="0" height="640" id="BLOGGER_PHOTO_ID_6506132655747514114" src="https://4.bp.blogspot.com/-0GiiLMF_4qA/WkptLe9mPwI/AAAAAAAAFOU/HUFx6WLCD0kRpXNwS1OqEYsUAnEZK-WNACK4BGAYYCw/s640/41ac33c627b7842df63cb40a070eac42-752022.png" width="416" /></a></div><div>As a short example of a common and dangerous type of attack, I chose a module displaying a fake notification bar to the target machine, requesting for additional plug-ins to be installed.</div><div><br /></div><div>You might have seen alike examples when browsing and you might think they're legit, but clicking such notifications carelessly is never a good idea.</div><div><br /></div><div>In my demonstration, I didn't actually connect any payload or executable to the user's action, but normally you might easily get infected.</div><div><br /></div><div><a href="http://2.bp.blogspot.com/-mXhi3FYNNOE/WkptL3J2Q2I/AAAAAAAAFOc/eVep1HXuMDc2bBlCbWcqahEwbN2c2GP1ACK4BGAYYCw/s1600/eb6af927728ad01926b536fdc4a2293f-754194.png"><img alt="" border="0" height="258" id="BLOGGER_PHOTO_ID_6506132662241346402" src="https://2.bp.blogspot.com/-mXhi3FYNNOE/WkptL3J2Q2I/AAAAAAAAFOc/eVep1HXuMDc2bBlCbWcqahEwbN2c2GP1ACK4BGAYYCw/s640/eb6af927728ad01926b536fdc4a2293f-754194.png" width="640" /></a></div><div><a href="http://2.bp.blogspot.com/-J4-O48jLBMM/WkptMtirw4I/AAAAAAAAFOk/mTJ7edIq9OUmWp3FlI7WfdHf8Ugjq9A2QCK4BGAYYCw/s1600/210bb223164fdfaef8187bdb3ae79494-756575.png"><img alt="" border="0" height="424" id="BLOGGER_PHOTO_ID_6506132676841030530" src="https://2.bp.blogspot.com/-J4-O48jLBMM/WkptMtirw4I/AAAAAAAAFOk/mTJ7edIq9OUmWp3FlI7WfdHf8Ugjq9A2QCK4BGAYYCw/s640/210bb223164fdfaef8187bdb3ae79494-756575.png" width="640" /></a></div><div><br /></div><div><i>Wrap-up</i></div><div><i><br /></i></div><div>This brief example shows how web application pentesting has become an important new frontier in information security.</div><div><br /></div><div>Building walls to defend your core information assets according to a typical castle mindset is totally pointless when more and more sensitive and mission-critical systems are exposed to the Internet.</div><div><br /></div><div>XSS attacks are very old stuff, dating back decades, nevertheless they keep being included within OWASP Top 10, because they don't get always addressed properly and, when time to market becomes more important than secure code techniques, that's what you're gonna get.<br /><br /><b><a href="https://savvygeektips.blogspot.com/2018/01/tips-for-information-security_3.html" target="_blank">Episode 50 </a></b><br /><br /><a href="https://savvygeektips.blogspot.com/2017/12/tips-for-information-security_18.html"><b>Episode 48</b> </a></div><div><i><br /></i></div><script> (function(i,s,o,g,r,a,m){i['GoogleAnalyticsObject']=r;i[r]=i[r]||function(){ (i[r].q=i[r].q||[]).push(arguments)},i[r].l=1*new Date();a=s.createElement(o), m=s.getElementsByTagName(o)[0];a.async=1;a.src=g;m.parentNode.insertBefore(a,m) })(window,document,'script','//www.google-analytics.com/analytics.js','ga'); ga('create', 'UA-45941375-1', 'savvygeektips.blogspot.com'); ga('send', 'pageview'); </script><div class="blogger-post-footer"><hr />
<a href="http://savvygeektips.blogspot.com>One Tip A Day Tech Blog</a></div><div class="feedflare">
<a href="http://feeds.feedburner.com/~ff/blogspot/HLRhI?a=oTORJrR8SSE:ETvMAQUa8wI:yIl2AUoC8zA"><img src="http://feeds.feedburner.com/~ff/blogspot/HLRhI?d=yIl2AUoC8zA" border="0"></img></a> <a href="http://feeds.feedburner.com/~ff/blogspot/HLRhI?a=oTORJrR8SSE:ETvMAQUa8wI:63t7Ie-LG7Y"><img src="http://feeds.feedburner.com/~ff/blogspot/HLRhI?d=63t7Ie-LG7Y" border="0"></img></a> <a href="http://feeds.feedburner.com/~ff/blogspot/HLRhI?a=oTORJrR8SSE:ETvMAQUa8wI:dnMXMwOfBR0"><img src="http://feeds.feedburner.com/~ff/blogspot/HLRhI?d=dnMXMwOfBR0" border="0"></img></a> <a href="http://feeds.feedburner.com/~ff/blogspot/HLRhI?a=oTORJrR8SSE:ETvMAQUa8wI:F7zBnMyn0Lo"><img src="http://feeds.feedburner.com/~ff/blogspot/HLRhI?i=oTORJrR8SSE:ETvMAQUa8wI:F7zBnMyn0Lo" border="0"></img></a> <a href="http://feeds.feedburner.com/~ff/blogspot/HLRhI?a=oTORJrR8SSE:ETvMAQUa8wI:7Q72WNTAKBA"><img src="http://feeds.feedburner.com/~ff/blogspot/HLRhI?d=7Q72WNTAKBA" border="0"></img></a> <a href="http://feeds.feedburner.com/~ff/blogspot/HLRhI?a=oTORJrR8SSE:ETvMAQUa8wI:V_sGLiPBpWU"><img src="http://feeds.feedburner.com/~ff/blogspot/HLRhI?i=oTORJrR8SSE:ETvMAQUa8wI:V_sGLiPBpWU" border="0"></img></a> <a href="http://feeds.feedburner.com/~ff/blogspot/HLRhI?a=oTORJrR8SSE:ETvMAQUa8wI:qj6IDK7rITs"><img src="http://feeds.feedburner.com/~ff/blogspot/HLRhI?d=qj6IDK7rITs" border="0"></img></a> <a href="http://feeds.feedburner.com/~ff/blogspot/HLRhI?a=oTORJrR8SSE:ETvMAQUa8wI:gIN9vFwOqvQ"><img src="http://feeds.feedburner.com/~ff/blogspot/HLRhI?i=oTORJrR8SSE:ETvMAQUa8wI:gIN9vFwOqvQ" border="0"></img></a> <a href="http://feeds.feedburner.com/~ff/blogspot/HLRhI?a=oTORJrR8SSE:ETvMAQUa8wI:TzevzKxY174"><img src="http://feeds.feedburner.com/~ff/blogspot/HLRhI?d=TzevzKxY174" border="0"></img></a>
</div><img src="http://feeds.feedburner.com/~r/blogspot/HLRhI/~4/oTORJrR8SSE" height="1" width="1" alt=""/>http://feedproxy.google.com/~r/blogspot/HLRhI/~3/oTORJrR8SSE/tips-for-information-security.htmlnoreply@blogger.com (Mattia Campagnano)0http://savvygeektips.blogspot.com/2018/01/tips-for-information-security.htmltag:blogger.com,1999:blog-2419284614709488194.post-2692424293518272815Mon, 25 Dec 2017 17:10:00 +00002017-12-25T12:11:51.098-05:00About MecybersecuritygeneralMerry Christmas to all my readers, LinkedIn connections, Twitter followers, Peerlysters and QuoransMerry Christmas to all of you and a happy 2018.<br /><br />Best of success for anything you want.<br /><br />As for myself, I hope the new year will bring me a new job.<br /><br />This year was foundational to me, as I achieved two Associate's degree and a Security+ certification.<br /><br />I hope 2018 will be the year for my return to the info sec industry.<br /><br />We'll see.<br /><br />So far, I'm grateful for a bunch of things but mostly for the people I interacted with over this year.<br /><br />They all pushed me a little further.<br /><br />Thank you all, guys.<br /><br /><img alt="Ms Jelena's Blog: Merry Christmas / Srecan Bozic!!!!" class="detail__media__img-highres js-detail-img js-detail-img-high" src="https://images.duckduckgo.com/iu/?u=http%3A%2F%2F4.bp.blogspot.com%2F-NGbjd0Y5N_E%2FTvXlrOHxFdI%2FAAAAAAAAARs%2FiuTQxDauuVQ%2Fs1600%2Fmerry-christmas-2.jpg&amp;f=1" style="display: block; height: 800px; width: 1280px;" /><div class="blogger-post-footer"><hr />
<a href="http://savvygeektips.blogspot.com>One Tip A Day Tech Blog</a></div><div class="feedflare">
<a href="http://feeds.feedburner.com/~ff/blogspot/HLRhI?a=kX4TcM2W_OE:UHRS3b7N_g4:yIl2AUoC8zA"><img src="http://feeds.feedburner.com/~ff/blogspot/HLRhI?d=yIl2AUoC8zA" border="0"></img></a> <a href="http://feeds.feedburner.com/~ff/blogspot/HLRhI?a=kX4TcM2W_OE:UHRS3b7N_g4:63t7Ie-LG7Y"><img src="http://feeds.feedburner.com/~ff/blogspot/HLRhI?d=63t7Ie-LG7Y" border="0"></img></a> <a href="http://feeds.feedburner.com/~ff/blogspot/HLRhI?a=kX4TcM2W_OE:UHRS3b7N_g4:dnMXMwOfBR0"><img src="http://feeds.feedburner.com/~ff/blogspot/HLRhI?d=dnMXMwOfBR0" border="0"></img></a> <a href="http://feeds.feedburner.com/~ff/blogspot/HLRhI?a=kX4TcM2W_OE:UHRS3b7N_g4:F7zBnMyn0Lo"><img src="http://feeds.feedburner.com/~ff/blogspot/HLRhI?i=kX4TcM2W_OE:UHRS3b7N_g4:F7zBnMyn0Lo" border="0"></img></a> <a href="http://feeds.feedburner.com/~ff/blogspot/HLRhI?a=kX4TcM2W_OE:UHRS3b7N_g4:7Q72WNTAKBA"><img src="http://feeds.feedburner.com/~ff/blogspot/HLRhI?d=7Q72WNTAKBA" border="0"></img></a> <a href="http://feeds.feedburner.com/~ff/blogspot/HLRhI?a=kX4TcM2W_OE:UHRS3b7N_g4:V_sGLiPBpWU"><img src="http://feeds.feedburner.com/~ff/blogspot/HLRhI?i=kX4TcM2W_OE:UHRS3b7N_g4:V_sGLiPBpWU" border="0"></img></a> <a href="http://feeds.feedburner.com/~ff/blogspot/HLRhI?a=kX4TcM2W_OE:UHRS3b7N_g4:qj6IDK7rITs"><img src="http://feeds.feedburner.com/~ff/blogspot/HLRhI?d=qj6IDK7rITs" border="0"></img></a> <a href="http://feeds.feedburner.com/~ff/blogspot/HLRhI?a=kX4TcM2W_OE:UHRS3b7N_g4:gIN9vFwOqvQ"><img src="http://feeds.feedburner.com/~ff/blogspot/HLRhI?i=kX4TcM2W_OE:UHRS3b7N_g4:gIN9vFwOqvQ" border="0"></img></a> <a href="http://feeds.feedburner.com/~ff/blogspot/HLRhI?a=kX4TcM2W_OE:UHRS3b7N_g4:TzevzKxY174"><img src="http://feeds.feedburner.com/~ff/blogspot/HLRhI?d=TzevzKxY174" border="0"></img></a>
</div><img src="http://feeds.feedburner.com/~r/blogspot/HLRhI/~4/kX4TcM2W_OE" height="1" width="1" alt=""/>http://feedproxy.google.com/~r/blogspot/HLRhI/~3/kX4TcM2W_OE/merry-christmas-to-all-my-readers.htmlnoreply@blogger.com (Mattia Campagnano)0http://savvygeektips.blogspot.com/2017/12/merry-christmas-to-all-my-readers.htmltag:blogger.com,1999:blog-2419284614709488194.post-6735391180297225227Thu, 21 Dec 2017 17:35:00 +00002018-01-01T14:35:20.326-05:00About MecybersecuritygeneralPeerTalk: Moving to an Information Security career<br />This is my first Information Security Conference ever, where I participated in as a panelist.<br /><br />Hope you'll enjoy it!!<br /><br /><div class="separator" style="clear: both; text-align: center;"><a href="https://4.bp.blogspot.com/-X1lr88lNFjY/UoKUOvqu_gI/AAAAAAAAAHY/5gePcE_FEbkSVQW_1bHRI6TrMya422NogCPcBGAYYCw/s1600/P1000405.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="338" data-original-width="450" height="480" src="https://4.bp.blogspot.com/-X1lr88lNFjY/UoKUOvqu_gI/AAAAAAAAAHY/5gePcE_FEbkSVQW_1bHRI6TrMya422NogCPcBGAYYCw/s640/P1000405.jpg" width="640" /></a></div><div class="separator" style="clear: both; text-align: center;"><br /></div><br /><br /><br /><br /><br /><iframe allow="encrypted-media" allowfullscreen="" br="" frameborder="0" gesture="media" gt="" height="315" src="https://www.youtube.com/embed/Slr80Xi_58g" width="560"><br /><br /><br /></iframe><div class="blogger-post-footer"><hr />
<a href="http://savvygeektips.blogspot.com>One Tip A Day Tech Blog</a></div><div class="feedflare">
<a href="http://feeds.feedburner.com/~ff/blogspot/HLRhI?a=qT30qfCK4FA:Nv79AFfGPxs:yIl2AUoC8zA"><img src="http://feeds.feedburner.com/~ff/blogspot/HLRhI?d=yIl2AUoC8zA" border="0"></img></a> <a href="http://feeds.feedburner.com/~ff/blogspot/HLRhI?a=qT30qfCK4FA:Nv79AFfGPxs:63t7Ie-LG7Y"><img src="http://feeds.feedburner.com/~ff/blogspot/HLRhI?d=63t7Ie-LG7Y" border="0"></img></a> <a href="http://feeds.feedburner.com/~ff/blogspot/HLRhI?a=qT30qfCK4FA:Nv79AFfGPxs:dnMXMwOfBR0"><img src="http://feeds.feedburner.com/~ff/blogspot/HLRhI?d=dnMXMwOfBR0" border="0"></img></a> <a href="http://feeds.feedburner.com/~ff/blogspot/HLRhI?a=qT30qfCK4FA:Nv79AFfGPxs:F7zBnMyn0Lo"><img src="http://feeds.feedburner.com/~ff/blogspot/HLRhI?i=qT30qfCK4FA:Nv79AFfGPxs:F7zBnMyn0Lo" border="0"></img></a> <a href="http://feeds.feedburner.com/~ff/blogspot/HLRhI?a=qT30qfCK4FA:Nv79AFfGPxs:7Q72WNTAKBA"><img src="http://feeds.feedburner.com/~ff/blogspot/HLRhI?d=7Q72WNTAKBA" border="0"></img></a> <a href="http://feeds.feedburner.com/~ff/blogspot/HLRhI?a=qT30qfCK4FA:Nv79AFfGPxs:V_sGLiPBpWU"><img src="http://feeds.feedburner.com/~ff/blogspot/HLRhI?i=qT30qfCK4FA:Nv79AFfGPxs:V_sGLiPBpWU" border="0"></img></a> <a href="http://feeds.feedburner.com/~ff/blogspot/HLRhI?a=qT30qfCK4FA:Nv79AFfGPxs:qj6IDK7rITs"><img src="http://feeds.feedburner.com/~ff/blogspot/HLRhI?d=qj6IDK7rITs" border="0"></img></a> <a href="http://feeds.feedburner.com/~ff/blogspot/HLRhI?a=qT30qfCK4FA:Nv79AFfGPxs:gIN9vFwOqvQ"><img src="http://feeds.feedburner.com/~ff/blogspot/HLRhI?i=qT30qfCK4FA:Nv79AFfGPxs:gIN9vFwOqvQ" border="0"></img></a> <a href="http://feeds.feedburner.com/~ff/blogspot/HLRhI?a=qT30qfCK4FA:Nv79AFfGPxs:TzevzKxY174"><img src="http://feeds.feedburner.com/~ff/blogspot/HLRhI?d=TzevzKxY174" border="0"></img></a>
</div><img src="http://feeds.feedburner.com/~r/blogspot/HLRhI/~4/qT30qfCK4FA" height="1" width="1" alt=""/>http://feedproxy.google.com/~r/blogspot/HLRhI/~3/qT30qfCK4FA/peertalk-moving-to-information-security.htmlnoreply@blogger.com (Mattia Campagnano)0http://savvygeektips.blogspot.com/2017/12/peertalk-moving-to-information-security.htmltag:blogger.com,1999:blog-2419284614709488194.post-983947663367297878Mon, 18 Dec 2017 20:19:00 +00002018-01-02T09:26:31.887-05:00cybersecurityhackingpentestingtips&tricksTips for an Information Security Analyst/Pentester career - Ep. 48: Web application pentesting<div class="ennote"><div>This post will deal with web application pentesting.</div><div><br /></div><iframe allow="encrypted-media" allowfullscreen="" frameborder="0" gesture="media" height="315" src="https://www.youtube.com/embed/RkKBEGAkqNc" width="560"></iframe> <br /><div>For this post, I'm going to use a vulnerable web app included in<a href="https://www.amazon.com/Penetration-Testing-Hands-Introduction-Hacking/dp/1593275641"> Georgia Weidman's book</a> (<i>within its additional files</i>), based on IIS and SQL Server 2008.</div><div><br /></div><div>I'm going to use BurpSuite to intercept and manipulate web requests.</div><div><br /></div><div><i>Prep</i></div><div><br /></div><div>Let's start out by inserting a single quote symbol in the login field. If any input validation were in place, nothing should happen, because the single quote wouldn't be an allowed character.</div><div><br /></div><div>There's no reason why you should have such character in a login field, you should be allowed letters, numbers and specific characters such as dashes and underscores only.</div><div><br /></div><div>Instead,<i> lo and behold</i>, we get a very nice error message, returning useful information about the back-end database.</div><div><br /></div><div><i>Thank you, webmaster!</i></div><div><br /></div><div><a href="http://2.bp.blogspot.com/-_yB4FshDFFA/Wjgh5EOXRaI/AAAAAAAAFMg/NELlFmnDT3Exid5j7jXPWCbVra0_c4ZuQCK4BGAYYCw/s1600/3cec2eeb3152db6aa42bc8e76117498a-729920.png"><img alt="" border="0" height="510" id="BLOGGER_PHOTO_ID_6500983326379558306" src="https://2.bp.blogspot.com/-_yB4FshDFFA/Wjgh5EOXRaI/AAAAAAAAFMg/NELlFmnDT3Exid5j7jXPWCbVra0_c4ZuQCK4BGAYYCw/s640/3cec2eeb3152db6aa42bc8e76117498a-729920.png" width="640" /></a></div><div><br /></div><div>By entering a SQL injection in the login field (<i>see video for more details</i>), we can login as user Mike, very likely the first user in the database.</div><div><br /></div><div>If we go to <i>Profile/View Newsletters</i>, we notice another handy input field, where can we look for the latest newsletter.</div><div><br /></div><div>Intercepting the GET request with BurpSuite, we notice that each user has a newsletter, stored in a folder that's personal for each individual user.</div><div><br /></div><div>The newsletter functionality seems to grab the newsletters from the local filesystem by using absolute paths.</div><div><br /></div><div>Furthermore, it seems to be using the directory <i>C:\inetpub\wwwroot\Book</i>, instead of<i> bookservice</i>, as we would have expected.</div><div><br /></div><div><a href="http://3.bp.blogspot.com/-lkzIos6UOcg/Wjgh5idWn4I/AAAAAAAAFMo/wVMcYaBzcpI4g8cX-pf6bDtv2KXckvLcgCK4BGAYYCw/s1600/041596439c9149c73427dfbb082b6da1-733216.png"><img alt="" border="0" height="436" id="BLOGGER_PHOTO_ID_6500983334495494018" src="https://3.bp.blogspot.com/-lkzIos6UOcg/Wjgh5idWn4I/AAAAAAAAFMo/wVMcYaBzcpI4g8cX-pf6bDtv2KXckvLcgCK4BGAYYCw/s640/041596439c9149c73427dfbb082b6da1-733216.png" width="640" /></a></div><div><br /></div><div>If we change the file path within BurpSuite and forward the request, we can try accessing other files inside that directory.</div><div>Specifically, we can access the source code for the web server and, if change the filepath by including <i>Authinfo.xml</i>, we can also see all existing users and passwords listed in plaintext.</div><div><a href="http://1.bp.blogspot.com/-o-Szp6y61UQ/Wjgh6dvBWwI/AAAAAAAAFMw/bXQc0_Sc4A85gtA7EaTCiN4Yo_FFS43QwCK4BGAYYCw/s1600/14436b388e4f486c99a4e867cd022288-735663.png"><img alt="" border="0" height="332" id="BLOGGER_PHOTO_ID_6500983350407289602" src="https://1.bp.blogspot.com/-o-Szp6y61UQ/Wjgh6dvBWwI/AAAAAAAAFMw/bXQc0_Sc4A85gtA7EaTCiN4Yo_FFS43QwCK4BGAYYCw/s640/14436b388e4f486c99a4e867cd022288-735663.png" width="640" /></a></div><div><a href="http://3.bp.blogspot.com/-neZvCNgcWbI/Wjgh60V9UWI/AAAAAAAAFM4/PwW_jfCazzM2qJnQXXhype4s2Q_8HHIBwCK4BGAYYCw/s1600/e5c2d1d63d8b4370a9b5fa2474bef476-737718.png"><img alt="" border="0" height="350" id="BLOGGER_PHOTO_ID_6500983356476182882" src="https://3.bp.blogspot.com/-neZvCNgcWbI/Wjgh60V9UWI/AAAAAAAAFM4/PwW_jfCazzM2qJnQXXhype4s2Q_8HHIBwCK4BGAYYCw/s640/e5c2d1d63d8b4370a9b5fa2474bef476-737718.png" width="640" /></a></div><div><br /></div><div>Needless to say, this shouldn't be going on.</div><div><br /></div><div><i>Command injection</i></div><div><br /></div><div>The <i>Newsletter Signup</i> field is vulnerable to command injection, so we can run the ipconfig command and store the content to a text file.</div><div><br /></div><div><a href="http://4.bp.blogspot.com/-pPBgUAJ3nbI/Wjgh7STUXtI/AAAAAAAAFNA/TBayyDlHWPAzIQmByDhQX-ZJphMgk-FRACK4BGAYYCw/s1600/d3ca7c9a8c5b56fc05d535ebeffede2f-740203.png"><img alt="" border="0" height="378" id="BLOGGER_PHOTO_ID_6500983364518174418" src="https://4.bp.blogspot.com/-pPBgUAJ3nbI/Wjgh7STUXtI/AAAAAAAAFNA/TBayyDlHWPAzIQmByDhQX-ZJphMgk-FRACK4BGAYYCw/s640/d3ca7c9a8c5b56fc05d535ebeffede2f-740203.png" width="640" /></a></div><div>For this purpose, we're gonna run the command <b>username@example.com&nbsp;&amp; ipconfig &nbsp;&gt; C:\inetpub\wwwroot\Book.test.txt.</b></div><div><br /></div><div>In the video, I inadvertently misspelled the output file name to <i>text.txt, </i>however, if we connect to its URL, we can see the output from the <i>ipconfig </i>command on the backend server.</div><div><br /></div><div>Needless to say, this shouldn't be going on.</div><div><br /></div><div><a href="http://3.bp.blogspot.com/-QJBr704wgeI/Wjgh7_ExynI/AAAAAAAAFNI/lE5UmYTJtGUrQAIyCYwNbaJNoAPsz_GfQCK4BGAYYCw/s1600/c3646a6283980682118575ffc4fa1b76-742309.png"><img alt="" border="0" height="640" id="BLOGGER_PHOTO_ID_6500983376536783474" src="https://3.bp.blogspot.com/-QJBr704wgeI/Wjgh7_ExynI/AAAAAAAAFNI/lE5UmYTJtGUrQAIyCYwNbaJNoAPsz_GfQCK4BGAYYCw/s640/c3646a6283980682118575ffc4fa1b76-742309.png" width="562" /></a></div><div><i>Wrap-up</i></div><div><br /></div><div>This simple walkthrough points out once again how following secure coding practices is paramount for a web server to remain secure.</div><div><br /></div><div>Input validation, a web application firewall and server-side validation would prevent such situations from occurring, but that's exactly how breaches&nbsp;often happen.</div><div><br /></div><div>Overlooking these issues can lead to massive breaches, like Equifax and other recent cases have so dramatically shown.<br /><br /><b><a href="https://savvygeektips.blogspot.com/2018/01/tips-for-information-security.html">Episode 49 </a></b><br /><br /><a href="https://savvygeektips.blogspot.com/2017/12/tips-for-information-security_14.html"><b>Episode 47&nbsp; </b></a></div></div><script> (function(i,s,o,g,r,a,m){i['GoogleAnalyticsObject']=r;i[r]=i[r]||function(){ (i[r].q=i[r].q||[]).push(arguments)},i[r].l=1*new Date();a=s.createElement(o), m=s.getElementsByTagName(o)[0];a.async=1;a.src=g;m.parentNode.insertBefore(a,m) })(window,document,'script','//www.google-analytics.com/analytics.js','ga'); ga('create', 'UA-45941375-1', 'savvygeektips.blogspot.com'); ga('send', 'pageview'); </script><div class="blogger-post-footer"><hr />
<a href="http://savvygeektips.blogspot.com>One Tip A Day Tech Blog</a></div><div class="feedflare">
<a href="http://feeds.feedburner.com/~ff/blogspot/HLRhI?a=j1lOXuf4dkg:_7tTJBcHJDY:yIl2AUoC8zA"><img src="http://feeds.feedburner.com/~ff/blogspot/HLRhI?d=yIl2AUoC8zA" border="0"></img></a> <a href="http://feeds.feedburner.com/~ff/blogspot/HLRhI?a=j1lOXuf4dkg:_7tTJBcHJDY:63t7Ie-LG7Y"><img src="http://feeds.feedburner.com/~ff/blogspot/HLRhI?d=63t7Ie-LG7Y" border="0"></img></a> <a href="http://feeds.feedburner.com/~ff/blogspot/HLRhI?a=j1lOXuf4dkg:_7tTJBcHJDY:dnMXMwOfBR0"><img src="http://feeds.feedburner.com/~ff/blogspot/HLRhI?d=dnMXMwOfBR0" border="0"></img></a> <a href="http://feeds.feedburner.com/~ff/blogspot/HLRhI?a=j1lOXuf4dkg:_7tTJBcHJDY:F7zBnMyn0Lo"><img src="http://feeds.feedburner.com/~ff/blogspot/HLRhI?i=j1lOXuf4dkg:_7tTJBcHJDY:F7zBnMyn0Lo" border="0"></img></a> <a href="http://feeds.feedburner.com/~ff/blogspot/HLRhI?a=j1lOXuf4dkg:_7tTJBcHJDY:7Q72WNTAKBA"><img src="http://feeds.feedburner.com/~ff/blogspot/HLRhI?d=7Q72WNTAKBA" border="0"></img></a> <a href="http://feeds.feedburner.com/~ff/blogspot/HLRhI?a=j1lOXuf4dkg:_7tTJBcHJDY:V_sGLiPBpWU"><img src="http://feeds.feedburner.com/~ff/blogspot/HLRhI?i=j1lOXuf4dkg:_7tTJBcHJDY:V_sGLiPBpWU" border="0"></img></a> <a href="http://feeds.feedburner.com/~ff/blogspot/HLRhI?a=j1lOXuf4dkg:_7tTJBcHJDY:qj6IDK7rITs"><img src="http://feeds.feedburner.com/~ff/blogspot/HLRhI?d=qj6IDK7rITs" border="0"></img></a> <a href="http://feeds.feedburner.com/~ff/blogspot/HLRhI?a=j1lOXuf4dkg:_7tTJBcHJDY:gIN9vFwOqvQ"><img src="http://feeds.feedburner.com/~ff/blogspot/HLRhI?i=j1lOXuf4dkg:_7tTJBcHJDY:gIN9vFwOqvQ" border="0"></img></a> <a href="http://feeds.feedburner.com/~ff/blogspot/HLRhI?a=j1lOXuf4dkg:_7tTJBcHJDY:TzevzKxY174"><img src="http://feeds.feedburner.com/~ff/blogspot/HLRhI?d=TzevzKxY174" border="0"></img></a>
</div><img src="http://feeds.feedburner.com/~r/blogspot/HLRhI/~4/j1lOXuf4dkg" height="1" width="1" alt=""/>http://feedproxy.google.com/~r/blogspot/HLRhI/~3/j1lOXuf4dkg/tips-for-information-security_18.htmlnoreply@blogger.com (Mattia Campagnano)0http://savvygeektips.blogspot.com/2017/12/tips-for-information-security_18.htmltag:blogger.com,1999:blog-2419284614709488194.post-156858097677965668Fri, 15 Dec 2017 16:16:00 +00002017-12-15T11:16:43.381-05:00About MecybersecuritygeneralLooking for volunteering and learning opportunities<span style="color: yellow;">TO PENTESTING COMPANIES IN NORTHEAST OHIO</span>:<br />I want to be a pentester more than anything. If you think my age is an issue, no one has my drive and determination. I'm willing to work for you even for free, studying for my OSCP. If that sounds good, tweet me or message me. I only ask for one chance, then feed me to the lions, If I fail.<br /><br /><span class="atwho-inserted" data-fr-verified="true"></span>‍ <span class="atwho-inserted" data-fr-verified="true"></span>‍<br /><span style="color: yellow;">TO NON-PROFIT ORGANIZATIONS IN AKRON/CANTON AREA</span>:<br />If you need someone to help you with network administration, system administration, virus removal, security policies and any other PC issues, I'll do it for free. It's a win-win for us both.To contact me, simply tweet me or message me.<br /><br /><br /><br /><br /><iframe allow="encrypted-media" allowfullscreen="" frameborder="0" gesture="media" height="315" src="https://www.youtube.com/embed/IC2ir15Hpqs" width="560"></iframe> <br /><div class="separator" style="clear: both; text-align: center;"><a href="https://3.bp.blogspot.com/-LExMBg5DLuM/WjO7IMb6BLI/AAAAAAAAFMM/9BC8lj_XXVkt2PoWFu5lh4p7l6fPAmDTwCLcBGAs/s1600/Picture1.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="362" data-original-width="357" height="640" src="https://3.bp.blogspot.com/-LExMBg5DLuM/WjO7IMb6BLI/AAAAAAAAFMM/9BC8lj_XXVkt2PoWFu5lh4p7l6fPAmDTwCLcBGAs/s640/Picture1.png" width="630" /></a></div><br /><br /><span style="color: yellow;"><a href="https://goo.gl/LekJmh"><i><b>CHECK OUT MY RESUME</b></i></a></span><br /><br /><br /><span class="atwho-inserted" data-fr-verified="true"></span><script> (function(i,s,o,g,r,a,m){i['GoogleAnalyticsObject']=r;i[r]=i[r]||function(){ (i[r].q=i[r].q||[]).push(arguments)},i[r].l=1*new Date();a=s.createElement(o), m=s.getElementsByTagName(o)[0];a.async=1;a.src=g;m.parentNode.insertBefore(a,m) })(window,document,'script','//www.google-analytics.com/analytics.js','ga'); ga('create', 'UA-45941375-1', 'savvygeektips.blogspot.com'); ga('send', 'pageview'); </script><div class="blogger-post-footer"><hr />
<a href="http://savvygeektips.blogspot.com>One Tip A Day Tech Blog</a></div><div class="feedflare">
<a href="http://feeds.feedburner.com/~ff/blogspot/HLRhI?a=Iu3D5qs-G7g:Q_hbaR3Ki28:yIl2AUoC8zA"><img src="http://feeds.feedburner.com/~ff/blogspot/HLRhI?d=yIl2AUoC8zA" border="0"></img></a> <a href="http://feeds.feedburner.com/~ff/blogspot/HLRhI?a=Iu3D5qs-G7g:Q_hbaR3Ki28:63t7Ie-LG7Y"><img src="http://feeds.feedburner.com/~ff/blogspot/HLRhI?d=63t7Ie-LG7Y" border="0"></img></a> <a href="http://feeds.feedburner.com/~ff/blogspot/HLRhI?a=Iu3D5qs-G7g:Q_hbaR3Ki28:dnMXMwOfBR0"><img src="http://feeds.feedburner.com/~ff/blogspot/HLRhI?d=dnMXMwOfBR0" border="0"></img></a> <a href="http://feeds.feedburner.com/~ff/blogspot/HLRhI?a=Iu3D5qs-G7g:Q_hbaR3Ki28:F7zBnMyn0Lo"><img src="http://feeds.feedburner.com/~ff/blogspot/HLRhI?i=Iu3D5qs-G7g:Q_hbaR3Ki28:F7zBnMyn0Lo" border="0"></img></a> <a href="http://feeds.feedburner.com/~ff/blogspot/HLRhI?a=Iu3D5qs-G7g:Q_hbaR3Ki28:7Q72WNTAKBA"><img src="http://feeds.feedburner.com/~ff/blogspot/HLRhI?d=7Q72WNTAKBA" border="0"></img></a> <a href="http://feeds.feedburner.com/~ff/blogspot/HLRhI?a=Iu3D5qs-G7g:Q_hbaR3Ki28:V_sGLiPBpWU"><img src="http://feeds.feedburner.com/~ff/blogspot/HLRhI?i=Iu3D5qs-G7g:Q_hbaR3Ki28:V_sGLiPBpWU" border="0"></img></a> <a href="http://feeds.feedburner.com/~ff/blogspot/HLRhI?a=Iu3D5qs-G7g:Q_hbaR3Ki28:qj6IDK7rITs"><img src="http://feeds.feedburner.com/~ff/blogspot/HLRhI?d=qj6IDK7rITs" border="0"></img></a> <a href="http://feeds.feedburner.com/~ff/blogspot/HLRhI?a=Iu3D5qs-G7g:Q_hbaR3Ki28:gIN9vFwOqvQ"><img src="http://feeds.feedburner.com/~ff/blogspot/HLRhI?i=Iu3D5qs-G7g:Q_hbaR3Ki28:gIN9vFwOqvQ" border="0"></img></a> <a href="http://feeds.feedburner.com/~ff/blogspot/HLRhI?a=Iu3D5qs-G7g:Q_hbaR3Ki28:TzevzKxY174"><img src="http://feeds.feedburner.com/~ff/blogspot/HLRhI?d=TzevzKxY174" border="0"></img></a>
</div><img src="http://feeds.feedburner.com/~r/blogspot/HLRhI/~4/Iu3D5qs-G7g" height="1" width="1" alt=""/>http://feedproxy.google.com/~r/blogspot/HLRhI/~3/Iu3D5qs-G7g/looking-for-volunteering-and-learning.htmlnoreply@blogger.com (Mattia Campagnano)0http://savvygeektips.blogspot.com/2017/12/looking-for-volunteering-and-learning.htmltag:blogger.com,1999:blog-2419284614709488194.post-320723656878575011Thu, 14 Dec 2017 17:39:00 +00002017-12-18T15:21:27.922-05:00cybersecurityhackingKali Linuxpentestingtips&tricksTips for an Information Security Analyst/Pentester career - Ep. 47: Post-exploitation (pt. 3)<div class="ennote"><div>This time we're gonna talk about <b><span style="color: yellow;">pivoting</span>.</b></div><div><br /></div><iframe allow="encrypted-media" allowfullscreen="" frameborder="0" gesture="media" height="315" src="https://www.youtube.com/embed/5tX1h0RaDsQ" width="560"></iframe> <br /><div>We're using post-exploitation techniques in order to gain access to an internal subnet unreachable from Kali.</div><div><br /></div><div><i>Configuration</i></div><div><i><br /></i></div><div><i>a)</i> <i>Kali Linux 3 2017</i>: one network adapter (Bridged configuration)</div><div><br /></div><div><i>b)</i> <i>Windows 7</i>: two network adapters (<span style="color: yellow;"><b>network adapter 1</b></span>: Bridged configuration; <span style="color: yellow;"><b>network adapter 2:</b></span> custom network, static IP configuration: 172.16.137.3, subnet mask 255.255.255.240)</div><div><br /></div><div><i>c) Windows XP SP 3:</i> one network adapter (custom network, static IP configuration: 172.16.137.4, subnet mask 255.255.255.240).</div><div><br /></div><div><i>Problem</i></div><div><br /></div><div>We have no direct way of attacking the Windows XP machine from Kali, as it's located in an unreachable subnet.</div><div><br /></div><div>If, for example, our Windows XP machine was located in the internal network and our Windows 7 was in the DMZ, there would be no way for us to exploit the XP machine directly&nbsp;from the attacking machine, which doesn't belong to that network nor has access to it.</div><div><br /></div><div><br /></div><div><i>Solution</i></div><div><i><br /></i></div><div>We can only attack Windows 7 and then, once we have a Meterpreter session open, reach XP from there, as the two Windows VMs are on the same subnet.</div><div><br /></div><div><span style="color: yellow;"><b>a) attack</b></span></div><div><i><br /></i></div><div>I created a payload using Veil, as shown in<a href="https://savvygeektips.blogspot.com/2017/12/tips-for-information-security.html"> Episode 43</a>, in order to attack Windows 7.</div><div><br /></div><div>I moved it to the web server directory, I downloaded it to Windows 7 and ran it successfully (<i>no antivirus alert popped up, great!</i>).</div><div><br /></div><div><a href="http://1.bp.blogspot.com/-sIOQbpWSauo/WjK0Lf0XFRI/AAAAAAAAFLg/PIkaOtB-wBU-zMvJwNWvwWpr4y-bYsMkACK4BGAYYCw/s1600/58e3ed8edf5e0a25f800b3d41e7f41a5-763312.png"><img alt="" border="0" height="370" id="BLOGGER_PHOTO_ID_6499455321861723410" src="https://1.bp.blogspot.com/-sIOQbpWSauo/WjK0Lf0XFRI/AAAAAAAAFLg/PIkaOtB-wBU-zMvJwNWvwWpr4y-bYsMkACK4BGAYYCw/s640/58e3ed8edf5e0a25f800b3d41e7f41a5-763312.png" width="640" /></a></div><div><br /></div><div>Then I used <span style="color: yellow;"><b>multi/handler</b></span> to pick up the reverse connection from our victim machine.</div><div><br /></div><div><a href="http://2.bp.blogspot.com/-LDbsEfM_g-A/WjK0MC8V81I/AAAAAAAAFLo/3Y-XfgbduZklBLsLaMxYkJSMQ40zaZVagCK4BGAYYCw/s1600/ef1625c190b146d9a5647519f35b1029-766348.png"><img alt="" border="0" height="422" id="BLOGGER_PHOTO_ID_6499455331290444626" src="https://2.bp.blogspot.com/-LDbsEfM_g-A/WjK0MC8V81I/AAAAAAAAFLo/3Y-XfgbduZklBLsLaMxYkJSMQ40zaZVagCK4BGAYYCw/s640/ef1625c190b146d9a5647519f35b1029-766348.png" width="640" /></a></div><div><br /></div><div>We easily get a Meterpreter session and also a privilege escalation, by using <span style="color: yellow;"><b>windows/local/bypassuac</b></span><i> (see video for more details)</i></div><div><b><br /></b></div><div><span style="color: yellow;"><b>b) adding a manual route</b></span></div><div><b><br /></b></div><div>Now that we have a Meterpreter session open, we can add a manual route to our Windows XP machine.</div><div><br /></div><div>I did this through a Meterpreter script called <b>autoroute</b>. There's also a Meterpreter command (<b>route add</b>), but, for some reason, I was unable to get it to work.</div><div><br /></div><div><a href="http://2.bp.blogspot.com/--ZnabOadVKM/WjK0Mu-7ujI/AAAAAAAAFLw/3u7XzL8iWfUOL3D5En_PDLMtZqGK6ToLgCK4BGAYYCw/s1600/7aa469fa87046000dbff79135e143f92-768663.png"><img alt="" border="0" height="406" id="BLOGGER_PHOTO_ID_6499455343112469042" src="https://2.bp.blogspot.com/--ZnabOadVKM/WjK0Mu-7ujI/AAAAAAAAFLw/3u7XzL8iWfUOL3D5En_PDLMtZqGK6ToLgCK4BGAYYCw/s640/7aa469fa87046000dbff79135e143f92-768663.png" width="640" /></a></div><div><br /></div><div><span style="color: yellow;"><b>c) Recon on Windows XP</b></span></div><div><br /></div><div>We can now try to attack our Windows XP VM through our Windows 7 VM, but we need to start from scratch, from the recon stage.</div><div><br /></div><div>For us to understand what ports are open on XP, we can use an exploit that runs a port scanner (<b>auxiliary/scanner/portscan/tcp</b>).</div><div><br /></div><div>Though this scanner isn't as good as Nmap, it can nonetheless provide us with plenty of good information.</div><div><br /></div><div><a href="http://3.bp.blogspot.com/-wg79JHdUWkA/WjK0NTbdBlI/AAAAAAAAFL4/alb_i3rhxOAttl8-nF17C68i66zd-grygCK4BGAYYCw/s1600/506a9aaf72ef00a39010dca5b5a53d50-771078.png"><img alt="" border="0" height="232" id="BLOGGER_PHOTO_ID_6499455352895768146" src="https://3.bp.blogspot.com/-wg79JHdUWkA/WjK0NTbdBlI/AAAAAAAAFL4/alb_i3rhxOAttl8-nF17C68i66zd-grygCK4BGAYYCw/s640/506a9aaf72ef00a39010dca5b5a53d50-771078.png" width="640" /></a></div><div><br /></div><div><span style="color: yellow;"><b>d) Exploitation</b></span></div><div><br /></div><div>In her book and class, Georgia Weidman exploits XP VM through the well-known <b>ms_08_67_netapi </b>vulnerability, but my XP machine results not to be vulnerable to this exploit, though SMB runs on port 445.</div><div><br /></div><div>In fact, Windows XP SP 3 isn't listed among the targets for it.</div><div><br /></div><div>I've been trying to find other exploits against the vulnerable software I installed for this machine for a while, but none worked so far.</div><div><br /></div><div><div class="separator" style="clear: both; text-align: center;"><a href="http://3.bp.blogspot.com/-wOdgMqo6LhY/WjK0OMi6jcI/AAAAAAAAFMA/CRqtGTYkseo3VYMog-cFIjqkCC1IbiGBACK4BGAYYCw/s1600/aa9df96521b038488dcbfcbeb78b76bb-774328.png" style="margin-left: 1em; margin-right: 1em;"><img alt="" border="0" height="412" id="BLOGGER_PHOTO_ID_6499455368227884482" src="https://3.bp.blogspot.com/-wOdgMqo6LhY/WjK0OMi6jcI/AAAAAAAAFMA/CRqtGTYkseo3VYMog-cFIjqkCC1IbiGBACK4BGAYYCw/s640/aa9df96521b038488dcbfcbeb78b76bb-774328.png" width="640" /></a></div>This situation is much trickier than other contexts where I successfully exploited XP,&nbsp; as we can't use a reverse payload.</div><div><br /></div><div>In fact, even if I used a Veil or msfvenom payload, our Kali machine would be unreachable, as there would be no way for our XP connection to bounce back to Kali.</div><div><br /></div><div>We need to find a local exploit for it.</div><div><br /></div><div>You guys know me, I'm not a quitter, so I'll try it harder.<br /><br /><a href="https://savvygeektips.blogspot.com/2017/12/tips-for-information-security_18.html"><b>Episode 48 </b></a><br /><br /><b><a href="https://savvygeektips.blogspot.com/2017/12/tips-for-information-security_13.html">Episode 46</a></b> </div><div><br /></div><div><br /><br /></div></div><script> (function(i,s,o,g,r,a,m){i['GoogleAnalyticsObject']=r;i[r]=i[r]||function(){ (i[r].q=i[r].q||[]).push(arguments)},i[r].l=1*new Date();a=s.createElement(o), m=s.getElementsByTagName(o)[0];a.async=1;a.src=g;m.parentNode.insertBefore(a,m) })(window,document,'script','//www.google-analytics.com/analytics.js','ga'); ga('create', 'UA-45941375-1', 'savvygeektips.blogspot.com'); ga('send', 'pageview'); </script><div class="blogger-post-footer"><hr />
<a href="http://savvygeektips.blogspot.com>One Tip A Day Tech Blog</a></div><div class="feedflare">
<a href="http://feeds.feedburner.com/~ff/blogspot/HLRhI?a=3AeXjlmPiJs:H-8FM7cBKps:yIl2AUoC8zA"><img src="http://feeds.feedburner.com/~ff/blogspot/HLRhI?d=yIl2AUoC8zA" border="0"></img></a> <a href="http://feeds.feedburner.com/~ff/blogspot/HLRhI?a=3AeXjlmPiJs:H-8FM7cBKps:63t7Ie-LG7Y"><img src="http://feeds.feedburner.com/~ff/blogspot/HLRhI?d=63t7Ie-LG7Y" border="0"></img></a> <a href="http://feeds.feedburner.com/~ff/blogspot/HLRhI?a=3AeXjlmPiJs:H-8FM7cBKps:dnMXMwOfBR0"><img src="http://feeds.feedburner.com/~ff/blogspot/HLRhI?d=dnMXMwOfBR0" border="0"></img></a> <a href="http://feeds.feedburner.com/~ff/blogspot/HLRhI?a=3AeXjlmPiJs:H-8FM7cBKps:F7zBnMyn0Lo"><img src="http://feeds.feedburner.com/~ff/blogspot/HLRhI?i=3AeXjlmPiJs:H-8FM7cBKps:F7zBnMyn0Lo" border="0"></img></a> <a href="http://feeds.feedburner.com/~ff/blogspot/HLRhI?a=3AeXjlmPiJs:H-8FM7cBKps:7Q72WNTAKBA"><img src="http://feeds.feedburner.com/~ff/blogspot/HLRhI?d=7Q72WNTAKBA" border="0"></img></a> <a href="http://feeds.feedburner.com/~ff/blogspot/HLRhI?a=3AeXjlmPiJs:H-8FM7cBKps:V_sGLiPBpWU"><img src="http://feeds.feedburner.com/~ff/blogspot/HLRhI?i=3AeXjlmPiJs:H-8FM7cBKps:V_sGLiPBpWU" border="0"></img></a> <a href="http://feeds.feedburner.com/~ff/blogspot/HLRhI?a=3AeXjlmPiJs:H-8FM7cBKps:qj6IDK7rITs"><img src="http://feeds.feedburner.com/~ff/blogspot/HLRhI?d=qj6IDK7rITs" border="0"></img></a> <a href="http://feeds.feedburner.com/~ff/blogspot/HLRhI?a=3AeXjlmPiJs:H-8FM7cBKps:gIN9vFwOqvQ"><img src="http://feeds.feedburner.com/~ff/blogspot/HLRhI?i=3AeXjlmPiJs:H-8FM7cBKps:gIN9vFwOqvQ" border="0"></img></a> <a href="http://feeds.feedburner.com/~ff/blogspot/HLRhI?a=3AeXjlmPiJs:H-8FM7cBKps:TzevzKxY174"><img src="http://feeds.feedburner.com/~ff/blogspot/HLRhI?d=TzevzKxY174" border="0"></img></a>
</div><img src="http://feeds.feedburner.com/~r/blogspot/HLRhI/~4/3AeXjlmPiJs" height="1" width="1" alt=""/>http://feedproxy.google.com/~r/blogspot/HLRhI/~3/3AeXjlmPiJs/tips-for-information-security_14.htmlnoreply@blogger.com (Mattia Campagnano)0http://savvygeektips.blogspot.com/2017/12/tips-for-information-security_14.htmltag:blogger.com,1999:blog-2419284614709488194.post-8980949084938790097Wed, 13 Dec 2017 16:35:00 +00002017-12-14T12:50:56.825-05:00hackingKali Linuxpentestingtips&tricksTips for an Information Security Analyst/Pentester career - Ep. 46: Post-exploitation (pt. 2)<div class="ennote"><div>In this post, we'll keep analyzing post-exploitation tools and techniques.<br /><br /></div><iframe allow="encrypted-media" allowfullscreen="" frameborder="0" gesture="media" height="315" src="https://www.youtube.com/embed/Oq1P_wv_k-U" width="560"></iframe> <br /><div><br /></div><div><i>a) Recording keystrokes&nbsp;</i></div><div><i><br /></i></div><div>We can start a&nbsp;keylogger on the victim machine with <i>keyscan_start.</i></div><div><i><br /></i></div><div>Anything we type in the victim machine will be logged and we can view it with <i>keyscan_dump</i>.</div><div><br /></div><div><a href="http://1.bp.blogspot.com/-tuZPlLQAvhw/WjFVZf7kKAI/AAAAAAAAFKI/wJeznOoCRg85ExxowBtQOMv50AHO4p8MACK4BGAYYCw/s1600/20717bca6503fcf382855699cd0399a4-763583.png"><img alt="" border="0" height="182" id="BLOGGER_PHOTO_ID_6499069633828759554" src="https://1.bp.blogspot.com/-tuZPlLQAvhw/WjFVZf7kKAI/AAAAAAAAFKI/wJeznOoCRg85ExxowBtQOMv50AHO4p8MACK4BGAYYCw/s640/20717bca6503fcf382855699cd0399a4-763583.png" width="640" /></a></div><div><br /></div><div>b) <i>Grabbing SCP credentials:</i></div><div><i><br /></i></div><div>&nbsp;Our Windows XP target includes a software called WINSCP, allowing to use Secure Copy (SCP), a UNIX protocol based on SSH, working on TCP port 22, in Windows.</div><div><br /></div><div>We purposefully saved the password in the program settings (which is not recommended by the software itself) and, thanks to the<b> post/windows/gather/credentials/winscp</b> post-exploitation module, we're able to grab the credentials so we can successfully copy files from XP to Ubuntu.</div><div><br /></div><div><a href="http://4.bp.blogspot.com/-u7f_1ltkvoQ/WjFVaFDMLmI/AAAAAAAAFKQ/ljK5GT80ns82tMINjboqKcfJJ03UqBV3ACK4BGAYYCw/s1600/6adf3c7338c20ee3fb8cbf3ceb11cc5f-766929.png"><img alt="" border="0" height="342" id="BLOGGER_PHOTO_ID_6499069643792854626" src="https://4.bp.blogspot.com/-u7f_1ltkvoQ/WjFVaFDMLmI/AAAAAAAAFKQ/ljK5GT80ns82tMINjboqKcfJJ03UqBV3ACK4BGAYYCw/s640/6adf3c7338c20ee3fb8cbf3ceb11cc5f-766929.png" width="640" /></a></div><div><br /></div><div>c<i>) Analyzing bash command history:</i></div><div><i><br /></i></div><div>In the previous post, we had gotten a reverse shell from Ubuntu by using a public exploit.&nbsp;</div><div><br /></div><div>As we're still connected as root, we can analyze the bash command history for user <i>georgia</i>, located under <b>/home/georgia/.bash_history.</b></div><div><i><br /></i></div><div>We notice a very interesting line; Georgia was so kind to tell us what her password was.&nbsp;</div><div><br /></div><div>We could have saved some time in the previous post, but everything you learn isn't wasted time, anyway.</div><div><br /></div><div><a href="http://4.bp.blogspot.com/-MwTIVXlAvv8/WjFVaqWybrI/AAAAAAAAFKY/YYg-P1JVsMktms6vxGwruo65ZrGDWtBpgCK4BGAYYCw/s1600/441744a3fc3f1a95425ea1f38b529abb-769191.png"><img alt="" border="0" height="270" id="BLOGGER_PHOTO_ID_6499069653807165106" src="https://4.bp.blogspot.com/-MwTIVXlAvv8/WjFVaqWybrI/AAAAAAAAFKY/YYg-P1JVsMktms6vxGwruo65ZrGDWtBpgCK4BGAYYCw/s640/441744a3fc3f1a95425ea1f38b529abb-769191.png" width="640" /></a></div><div><br /></div><div>d) <i>Leveraging an SMB vulnerability</i></div><div><i><br /></i></div><div>We can use a post-exploitation module (exploit/windows/smb/psexec) alike PsExec (belonging to<a href="https://docs.microsoft.com/en-us/sysinternals/downloads/pstools"> Sysinternals' PsTools</a>) to run arbitrary commands against SMB.</div><div></div><blockquote class="tr_bq"><div>According to its official description, PsExec "<i>is a light-weight telnet-replacement that lets you execute processes on other systems, complete with full interactivity for console applications, without having to manually install client software. PsExec's most powerful uses include launching interactive command-prompts on remote systems and remote-enabling tools like IpConfig that otherwise do not have the ability to show information about remote systems"</i>.</div></blockquote><div><a href="http://1.bp.blogspot.com/-6n4ffM-GVss/WjFVbbwA06I/AAAAAAAAFKg/oG5U0sLfr1IlIFMkglOhqBowyNYcn9kYACK4BGAYYCw/s1600/8b24b3a3f34344fc70bee76514fbf596-771531.png"><img alt="" border="0" height="270" id="BLOGGER_PHOTO_ID_6499069667066303394" src="https://1.bp.blogspot.com/-6n4ffM-GVss/WjFVbbwA06I/AAAAAAAAFKg/oG5U0sLfr1IlIFMkglOhqBowyNYcn9kYACK4BGAYYCw/s640/8b24b3a3f34344fc70bee76514fbf596-771531.png" width="640" /></a></div><div><br /></div><div>We need to configure a couple of parameters to make this work.</div><div><br /></div><div><a href="http://2.bp.blogspot.com/-hOSQcMLwRDU/WjFVf2jz1wI/AAAAAAAAFKo/REQzhGl6UQ0wjpDwySji66co9xIhVaZuQCK4BGAYYCw/s1600/0688c1e558514d250c8c44edca8b057c-773921.png"><img alt="" border="0" height="110" id="BLOGGER_PHOTO_ID_6499069742982354690" src="https://2.bp.blogspot.com/-hOSQcMLwRDU/WjFVf2jz1wI/AAAAAAAAFKo/REQzhGl6UQ0wjpDwySji66co9xIhVaZuQCK4BGAYYCw/s640/0688c1e558514d250c8c44edca8b057c-773921.png" width="640" /></a></div><div><a href="http://1.bp.blogspot.com/-WZb65YvWug8/WjFVgQy4BqI/AAAAAAAAFKw/lixH3ZfVvgU_GblLcYOAuduUeybahsuvQCK4BGAYYCw/s1600/00dc7a4c3550b1486f911beb9b3603bf-792401.png"><img alt="" border="0" height="228" id="BLOGGER_PHOTO_ID_6499069750024865442" src="https://1.bp.blogspot.com/-WZb65YvWug8/WjFVgQy4BqI/AAAAAAAAFKw/lixH3ZfVvgU_GblLcYOAuduUeybahsuvQCK4BGAYYCw/s640/00dc7a4c3550b1486f911beb9b3603bf-792401.png" width="640" /></a></div><div><span style="color: yellow;"><b>Analyzing the list of current processes with <i>ps</i> might reveal other ways to get in, through vulnerable services not uncovered by our initial Nmap scan.</b></span></div><div><br /></div><div>For example, we can see there's a 3com server that's vulnerable to an attack and we hadn't uncovered it initially.</div><div><br /></div><div><i>e) Meterpreter extensions:</i></div><div><i><br /></i></div><div>Meterpreter contains additional extensions, which aren't automatically loaded manually when we get a session, but may be loaded manually through the <span style="color: yellow;"><b>load &lt;extension_name&gt;</b></span> syntax.</div><div><br /></div><div><b>1) incognito</b></div><div><br /></div><div><i>Incognito</i> lists all <a href="https://msdn.microsoft.com/en-us/library/windows/desktop/aa374909(v=vs.85).aspx">tokens</a> available in the target system, allowing you to steal a token belonging to a specific user and impersonate him/her.&nbsp;</div><div><br /></div><div><a href="http://3.bp.blogspot.com/-RVoqblWcgOk/WjFVhIo7__I/AAAAAAAAFK4/ZNr39KRWB_EJPbV5SAnoKm2QiyLpWK0sgCK4BGAYYCw/s1600/4447f5b3fda3221977656df0753562d2-794524.png"><img alt="" border="0" height="442" id="BLOGGER_PHOTO_ID_6499069765015568370" src="https://3.bp.blogspot.com/-RVoqblWcgOk/WjFVhIo7__I/AAAAAAAAFK4/ZNr39KRWB_EJPbV5SAnoKm2QiyLpWK0sgCK4BGAYYCw/s640/4447f5b3fda3221977656df0753562d2-794524.png" width="640" /></a></div><div><a href="http://2.bp.blogspot.com/-sRKSVcgrrgE/WjFVhnFoR6I/AAAAAAAAFLA/c4PtDIVrTegIAwcQRq0KP1-RARUCTdnhwCK4BGAYYCw/s1600/cbea7bb9f3594369615ddb597c5c5ce8-796745.png"><img alt="" border="0" height="94" id="BLOGGER_PHOTO_ID_6499069773188974498" src="https://2.bp.blogspot.com/-sRKSVcgrrgE/WjFVhnFoR6I/AAAAAAAAFLA/c4PtDIVrTegIAwcQRq0KP1-RARUCTdnhwCK4BGAYYCw/s640/cbea7bb9f3594369615ddb597c5c5ce8-796745.png" width="640" /></a></div><div><br /></div><div><b>2 ) mimikatz: </b>Quoting Offensive Security,&nbsp;Mimikatz<i> </i>is<i>&nbsp;</i><br /><blockquote class="tr_bq"><i>"a great post-exploitation script tool (..),&nbsp;an attempt to bundle together some of the most useful tasks that attackers will want to perform (..) in order&nbsp;to get a firmer foothold on the computer/network".</i></blockquote></div><div><br /></div><div>Here we're using it to understand if there are some Kerberos passwords saved in plaintext and, lo and behold, we found some.</div><div><br /></div><div><a href="http://3.bp.blogspot.com/-jV98qS_9TSU/WjFViHKDqqI/AAAAAAAAFLI/Hu07OVXiIN82AHZj63dorHsiJ8VJk0JTQCK4BGAYYCw/s1600/f7ca72cc239526223e8adeca9f8f6345-799101.png"><img alt="" border="0" height="312" id="BLOGGER_PHOTO_ID_6499069781797481122" src="https://3.bp.blogspot.com/-jV98qS_9TSU/WjFViHKDqqI/AAAAAAAAFLI/Hu07OVXiIN82AHZj63dorHsiJ8VJk0JTQCK4BGAYYCw/s640/f7ca72cc239526223e8adeca9f8f6345-799101.png" width="640" /></a></div><div><br /></div><div><b>3) search tool:&nbsp;</b></div><div><br /></div><div>We can search for files related to specific keywords in our target machine. I found a file called <i>financial_information,tx</i>t, which I could've missed otherwise.</div><div><a href="http://2.bp.blogspot.com/-MAzThE6G8iw/WjFVi7wHmyI/AAAAAAAAFLQ/Jyh9yLuhBFU_M4Xtw07TpenaTRLgEeubACK4BGAYYCw/s1600/5e88a207b923d5eecac8ac8423fef724-701394.png"><img alt="" border="0" height="76" id="BLOGGER_PHOTO_ID_6499069795915766562" src="https://2.bp.blogspot.com/-MAzThE6G8iw/WjFVi7wHmyI/AAAAAAAAFLQ/Jyh9yLuhBFU_M4Xtw07TpenaTRLgEeubACK4BGAYYCw/s640/5e88a207b923d5eecac8ac8423fef724-701394.png" width="640" /></a></div><div><br /></div><div><br /></div><div>We're gonna continue analyzing post-exploitation tools and techniques in the coming posts, so stay tuned!<br /><br /><a href="https://savvygeektips.blogspot.com/2017/12/tips-for-information-security_14.html"><b>Episode 47 </b></a><br /><br /><b><a href="https://savvygeektips.blogspot.com/2017/12/tips-for-information-security_11.html">Episode 45&nbsp; </a></b></div></div><script> (function(i,s,o,g,r,a,m){i['GoogleAnalyticsObject']=r;i[r]=i[r]||function(){ (i[r].q=i[r].q||[]).push(arguments)},i[r].l=1*new Date();a=s.createElement(o), m=s.getElementsByTagName(o)[0];a.async=1;a.src=g;m.parentNode.insertBefore(a,m) })(window,document,'script','//www.google-analytics.com/analytics.js','ga'); ga('create', 'UA-45941375-1', 'savvygeektips.blogspot.com'); ga('send', 'pageview'); </script><div class="blogger-post-footer"><hr />
<a href="http://savvygeektips.blogspot.com>One Tip A Day Tech Blog</a></div><div class="feedflare">
<a href="http://feeds.feedburner.com/~ff/blogspot/HLRhI?a=YOyQ6hXwNXs:u7ySYC00WEA:yIl2AUoC8zA"><img src="http://feeds.feedburner.com/~ff/blogspot/HLRhI?d=yIl2AUoC8zA" border="0"></img></a> <a href="http://feeds.feedburner.com/~ff/blogspot/HLRhI?a=YOyQ6hXwNXs:u7ySYC00WEA:63t7Ie-LG7Y"><img src="http://feeds.feedburner.com/~ff/blogspot/HLRhI?d=63t7Ie-LG7Y" border="0"></img></a> <a href="http://feeds.feedburner.com/~ff/blogspot/HLRhI?a=YOyQ6hXwNXs:u7ySYC00WEA:dnMXMwOfBR0"><img src="http://feeds.feedburner.com/~ff/blogspot/HLRhI?d=dnMXMwOfBR0" border="0"></img></a> <a href="http://feeds.feedburner.com/~ff/blogspot/HLRhI?a=YOyQ6hXwNXs:u7ySYC00WEA:F7zBnMyn0Lo"><img src="http://feeds.feedburner.com/~ff/blogspot/HLRhI?i=YOyQ6hXwNXs:u7ySYC00WEA:F7zBnMyn0Lo" border="0"></img></a> <a href="http://feeds.feedburner.com/~ff/blogspot/HLRhI?a=YOyQ6hXwNXs:u7ySYC00WEA:7Q72WNTAKBA"><img src="http://feeds.feedburner.com/~ff/blogspot/HLRhI?d=7Q72WNTAKBA" border="0"></img></a> <a href="http://feeds.feedburner.com/~ff/blogspot/HLRhI?a=YOyQ6hXwNXs:u7ySYC00WEA:V_sGLiPBpWU"><img src="http://feeds.feedburner.com/~ff/blogspot/HLRhI?i=YOyQ6hXwNXs:u7ySYC00WEA:V_sGLiPBpWU" border="0"></img></a> <a href="http://feeds.feedburner.com/~ff/blogspot/HLRhI?a=YOyQ6hXwNXs:u7ySYC00WEA:qj6IDK7rITs"><img src="http://feeds.feedburner.com/~ff/blogspot/HLRhI?d=qj6IDK7rITs" border="0"></img></a> <a href="http://feeds.feedburner.com/~ff/blogspot/HLRhI?a=YOyQ6hXwNXs:u7ySYC00WEA:gIN9vFwOqvQ"><img src="http://feeds.feedburner.com/~ff/blogspot/HLRhI?i=YOyQ6hXwNXs:u7ySYC00WEA:gIN9vFwOqvQ" border="0"></img></a> <a href="http://feeds.feedburner.com/~ff/blogspot/HLRhI?a=YOyQ6hXwNXs:u7ySYC00WEA:TzevzKxY174"><img src="http://feeds.feedburner.com/~ff/blogspot/HLRhI?d=TzevzKxY174" border="0"></img></a>
</div><img src="http://feeds.feedburner.com/~r/blogspot/HLRhI/~4/YOyQ6hXwNXs" height="1" width="1" alt=""/>http://feedproxy.google.com/~r/blogspot/HLRhI/~3/YOyQ6hXwNXs/tips-for-information-security_13.htmlnoreply@blogger.com (Mattia Campagnano)0http://savvygeektips.blogspot.com/2017/12/tips-for-information-security_13.htmltag:blogger.com,1999:blog-2419284614709488194.post-4418243148605735040Mon, 11 Dec 2017 19:32:00 +00002018-02-13T00:57:16.761-05:00hackingLinuxpentestingtips&tricksWindowsTips for an Information Security Analyst/Pentester career - Ep. 45: Post-exploitation (pt. 1)<div class="ennote"><div>So far we've analyzed how to exploit a system, now we'll see how to go from there.</div><div><br /></div><div><i>Post-exploitation commands</i></div><div><br /></div><div>Once we're within our session, Meterpreter allows us to use additional commands, other than the commands native to the specific systems, whether it is Linux or UNIX/Linux.<br /><br /></div><iframe allow="encrypted-media" allowfullscreen="" frameborder="0" gesture="media" height="315" src="https://www.youtube.com/embed/DSOKaklIfok" width="560"></iframe> <br /><div><br /></div><div>Here I'm going to show you only some of them.</div><div><br /></div><div>Check the <a href="https://www.offensive-security.com/metasploit-unleashed/msf-post-exploitation/">official source</a> for more details.</div><div><br /></div><div><i>a) sysinfo:&nbsp;</i>Returns information on the target system, as shown below.</div><div><a href="http://3.bp.blogspot.com/-xoZy_zv4s0M/Wi7cZzJHEmI/AAAAAAAAFJQ/2Wi4dU43ZWsp8YzASLvGNtz-kBcaqrg9gCK4BGAYYCw/s1600/b3f31eaa17e3ef8332fcbd91a0f94162-716685.png"><img alt="" border="0" height="174" id="BLOGGER_PHOTO_ID_6498373648125465186" src="https://3.bp.blogspot.com/-xoZy_zv4s0M/Wi7cZzJHEmI/AAAAAAAAFJQ/2Wi4dU43ZWsp8YzASLvGNtz-kBcaqrg9gCK4BGAYYCw/s640/b3f31eaa17e3ef8332fcbd91a0f94162-716685.png" width="640" /></a></div><div>b) <i>getuid: </i>Returns the ID of the user we could hack in as.</div><div><br /></div><div>c)<i> getpid</i>: Returns the PID (process identifier) for the process we're currently running our session in.</div><div><br /></div><div>d) <i>getsystem:</i>&nbsp;Achieves a local privilege escalation. In Windows versions later than XP, it doesn't work per se, because of the UAC (User Access Control). We're gonna have to perform an exploit in order to disable UAC first and then run this command.</div><div><br /></div><div>e) <i>idletime:</i> It tells us how long the user logged on the victim machine has been idle.</div><div><br /></div><div>f) <i>upload</i> and <i>download</i>: we can upload and download files to and from the victim machine.&nbsp;</div><div><br /></div><div>In the video, I uploaded a reverse shell first and then I downloaded a text file.</div><div><br /></div><div>g) <i>hashdump:</i>&nbsp;Dumps the password hashes, if you could become system administrator. For you to dump the hashes, you might have to migrate to a process having a higher priority, automatically started at boot-up (e.g. <i>svchost.exe</i>).</div><div><br /></div><div><i>Post-exploitation tools&nbsp;</i></div><div><br /></div><div>Once we gained a meterpreter session, we can use two classes of tools:&nbsp;</div><div><br /></div><div><ul><li><b>Meterpreter scripts </b></li></ul></div><div><ul><li><b>Post-exploitation modules.</b></li></ul></div><div><b><br /></b></div><div><i>Meterpreter scripts</i></div><div><br /></div><div><b>Meterpreter scripts</b>, written in Ruby programming language, are considered to be deprecated and should be replaced all the time by post-exploitation modules.</div><div><br /></div><div>However, they're nonetheless very powerful.</div><div><br /></div><div>Scripts can be found within the <b>/usr/share/metasploit-framework/scripts/meterpreter </b>directory, and all have a <i>.rb</i> extension.</div><div><br /></div><div>In order to run a script, once you're in the Meterpreter session, you need to use the syntax <b>run &lt;script name&gt;</b>. You don't need to include the<i> .rb </i>file extension.</div><div><br /></div><div><i>Meterpreter scripts examples</i></div><div><i><br /></i></div><div><i>1)&nbsp;checkvm: </i>Allows to check whether the environment we're running is a virtual machine, or not. In our case, it correctly detects I'm running a VMware virtual machine.</div><div><br /></div><div><a href="http://4.bp.blogspot.com/-ekjWzZWyfJ8/Wi7cajgBRII/AAAAAAAAFJY/UjDEpCaQ_U8zWru9W8QBQD8Vk2fNs3ddACK4BGAYYCw/s1600/faafb0f2183c4007b34ee3eb07830784-720305.png"><img alt="" border="0" height="118" id="BLOGGER_PHOTO_ID_6498373661106455682" src="https://4.bp.blogspot.com/-ekjWzZWyfJ8/Wi7cajgBRII/AAAAAAAAFJY/UjDEpCaQ_U8zWru9W8QBQD8Vk2fNs3ddACK4BGAYYCw/s640/faafb0f2183c4007b34ee3eb07830784-720305.png" width="640" /></a></div><div><i>2) get_env: </i>Returns all systems and user variables.</div><div><br /></div><div><a href="http://4.bp.blogspot.com/-j9QmS6uDLbI/Wi7cbmVppZI/AAAAAAAAFJg/x6sjxHoFOj0T989a6KbmPUUv-wYvuXpGACK4BGAYYCw/s1600/669b52b50077e339ab74518b001b62dc-723969.png"><img alt="" border="0" height="344" id="BLOGGER_PHOTO_ID_6498373679048140178" src="https://4.bp.blogspot.com/-j9QmS6uDLbI/Wi7cbmVppZI/AAAAAAAAFJg/x6sjxHoFOj0T989a6KbmPUUv-wYvuXpGACK4BGAYYCw/s640/669b52b50077e339ab74518b001b62dc-723969.png" width="640" /></a></div><div><br /></div><div>3) <i>scraper:</i>&nbsp;Returns a wide series on information on the target system (the whole registry, password hashes, users, etc.), it stores all results under .<b>msf4/logs/scripts/scraper</b>.</div><div><br /></div><div>4) <i>winenum</i>: Enumerates a Windows domain by running a series of system command, including the very powerful <b>net</b> command, and stores its results under&nbsp;stores all results under .<span style="font-weight: bold;">msf4/logs/scripts/winenum.</span></div><div><span style="font-weight: bold;"><br /></span></div><div><span style="font-weight: bold;"><br /></span></div><div><i>Post-exploitation modules</i></div><div><i><br /></i></div><div>That's what Metasploit&nbsp;recommends to run. They're mostly equivalent to scripts and are stored within the <i>/post</i> directory, distinguished based on the reference operating system.</div><div><br /></div><div>In order to use them, we're gonna need to background our Meterpreter session.</div><div><br /></div><div>Their syntax is the same as for exploits (<i>use</i> in order to use a specific module, <i>show options</i> to see its options, etc.).</div><div><br /></div><div>I'm gonna show you only a couple of examples for you to get the hang of them. Check the video for more details.</div><div><br /></div><div><br /></div><div>a) <i>post/windows/enum_logged_on_users: </i>Enumerates all Windows users who recently logged on to the system. Post-exploitation modules are very simple and don't require for any payload to be configured.</div><div><br /></div><div>In this case, we only have to setup a SESSION parameter and we're good to go.</div><div><br /></div><div><a href="http://2.bp.blogspot.com/-tQgx5ya--lc/Wi7ccCxFdII/AAAAAAAAFJo/MofKrCqH8ZQrNdnuRIiDJl5-isuse_jngCK4BGAYYCw/s1600/9242b90fc5aa7167725e206cfe09dbea-727125.png"><img alt="" border="0" height="352" id="BLOGGER_PHOTO_ID_6498373686679401602" src="https://2.bp.blogspot.com/-tQgx5ya--lc/Wi7ccCxFdII/AAAAAAAAFJo/MofKrCqH8ZQrNdnuRIiDJl5-isuse_jngCK4BGAYYCw/s640/9242b90fc5aa7167725e206cfe09dbea-727125.png" width="640" /></a></div><div><br /></div><div>b)&nbsp;<span style="font-style: italic;">post/windows/gather/enum_applications: </span>Returns the list of all applications currently installed all the system<span style="font-style: italic;">. </span>Said list is exactly the same as the list we can get by running the <i>get_application_list</i> script.</div><div><br /></div><div><b>Privilege escalation on Ubuntu 8.10</b></div><div><b><br /></b></div><div>In a previous post, we could<b>&nbsp;</b>SSH into our Ubuntu machine by stealing the keys for user <i>georgia,</i> but the problem is we don't know her password, so we can't obtain a privilege escalation.</div><div><br /></div><div>We notice we run Ubuntu 8.10 and the version for Udev is very old.</div><div><br /></div><div>Udev versions earlier than 1.40 resulted to have a very bad <a href="https://www.cvedetails.com/cve/CVE-2009-1185/">vulnerability</a>, that could allow root access to commands from user space, other than from kernel space only, as it should be.</div><div><br /></div><div>This vulnerability can be exploited against our VM and we can use a public exploit written in C, by using searchsploit.</div><div><br /></div><div><a href="https://github.com/offensive-security/exploit-database/blob/master/searchsploit">Searchsploit</a> allows to have a copy of the exploit database handy on the local computer.</div><div><br /></div><div>All we need to know is the PID of udevd netlink socket (normally equal to the PID for udevd minus one) and pass as an argument to /tmp/run.</div><div><br /></div><div>We can pass any payload we want to /tmp/run and it'll be run as root.</div><div><br /></div><div>So I add a payload that opens up netcat on port 2222 and spawns a Bash shell.</div><div><br /></div><div>As we're up with a target machine, we can upload the exploit file to Ubuntu, through <i>wget, </i>and then compile our C script to an executable, through gcc.</div><div><br /></div><div><a href="http://4.bp.blogspot.com/-NEQcty8_nUg/Wi7cc_cs6rI/AAAAAAAAFJw/neZtioQ05kcbNZAykbwPVC_iw-Ts8uB-gCK4BGAYYCw/s1600/13dcaef1f61073e0351c46497adf9569-730121.png"><img alt="" border="0" height="196" id="BLOGGER_PHOTO_ID_6498373702968470194" src="https://4.bp.blogspot.com/-NEQcty8_nUg/Wi7cc_cs6rI/AAAAAAAAFJw/neZtioQ05kcbNZAykbwPVC_iw-Ts8uB-gCK4BGAYYCw/s640/13dcaef1f61073e0351c46497adf9569-730121.png" width="640" /></a></div><div><br /></div><div>At that point, if we run the exploit with the PID for udevd nettling socket, we can get a shell as root and we can download the password hashes.</div><div><br /></div><div><i><a href="http://4.bp.blogspot.com/-oDa9-yCHgJE/Wi7cdkM1mdI/AAAAAAAAFJ4/9-q5hqwK7WgIIvC0H7Ih5wUS5VaggjdxACK4BGAYYCw/s1600/99e1d66b91cf03c240b0a0d2c4ae0e2d-732940.png"><img alt="" border="0" height="270" id="BLOGGER_PHOTO_ID_6498373712834042322" src="https://4.bp.blogspot.com/-oDa9-yCHgJE/Wi7cdkM1mdI/AAAAAAAAFJ4/9-q5hqwK7WgIIvC0H7Ih5wUS5VaggjdxACK4BGAYYCw/s640/99e1d66b91cf03c240b0a0d2c4ae0e2d-732940.png" width="640" /></a></i></div><div><i><br /></i></div><div><i>Wrap-up</i></div><div><br /></div><div>Through exploitation, we could get a shell to the victim machine, but this is only the start.</div><div><br /></div><div>The post-exploitation stage includes all you do after gaining a shell, from leveraging vulnerabilities, to establishing persistence and finally covering your tracks.<br /><br /><b><a href="https://savvygeektips.blogspot.com/2017/12/tips-for-information-security_13.html">Episode 46 </a></b><br /><br /><b><a href="https://savvygeektips.blogspot.com/2017/12/tips-for-information-security_6.html">Episode 44 </a></b></div></div><script> (function(i,s,o,g,r,a,m){i['GoogleAnalyticsObject']=r;i[r]=i[r]||function(){ (i[r].q=i[r].q||[]).push(arguments)},i[r].l=1*new Date();a=s.createElement(o), m=s.getElementsByTagName(o)[0];a.async=1;a.src=g;m.parentNode.insertBefore(a,m) })(window,document,'script','//www.google-analytics.com/analytics.js','ga'); ga('create', 'UA-45941375-1', 'savvygeektips.blogspot.com'); ga('send', 'pageview'); </script><div class="blogger-post-footer"><hr />
<a href="http://savvygeektips.blogspot.com>One Tip A Day Tech Blog</a></div><div class="feedflare">
<a href="http://feeds.feedburner.com/~ff/blogspot/HLRhI?a=trhO9GO8dqU:Jpr3Vb0OTT0:yIl2AUoC8zA"><img src="http://feeds.feedburner.com/~ff/blogspot/HLRhI?d=yIl2AUoC8zA" border="0"></img></a> <a href="http://feeds.feedburner.com/~ff/blogspot/HLRhI?a=trhO9GO8dqU:Jpr3Vb0OTT0:63t7Ie-LG7Y"><img src="http://feeds.feedburner.com/~ff/blogspot/HLRhI?d=63t7Ie-LG7Y" border="0"></img></a> <a href="http://feeds.feedburner.com/~ff/blogspot/HLRhI?a=trhO9GO8dqU:Jpr3Vb0OTT0:dnMXMwOfBR0"><img src="http://feeds.feedburner.com/~ff/blogspot/HLRhI?d=dnMXMwOfBR0" border="0"></img></a> <a href="http://feeds.feedburner.com/~ff/blogspot/HLRhI?a=trhO9GO8dqU:Jpr3Vb0OTT0:F7zBnMyn0Lo"><img src="http://feeds.feedburner.com/~ff/blogspot/HLRhI?i=trhO9GO8dqU:Jpr3Vb0OTT0:F7zBnMyn0Lo" border="0"></img></a> <a href="http://feeds.feedburner.com/~ff/blogspot/HLRhI?a=trhO9GO8dqU:Jpr3Vb0OTT0:7Q72WNTAKBA"><img src="http://feeds.feedburner.com/~ff/blogspot/HLRhI?d=7Q72WNTAKBA" border="0"></img></a> <a href="http://feeds.feedburner.com/~ff/blogspot/HLRhI?a=trhO9GO8dqU:Jpr3Vb0OTT0:V_sGLiPBpWU"><img src="http://feeds.feedburner.com/~ff/blogspot/HLRhI?i=trhO9GO8dqU:Jpr3Vb0OTT0:V_sGLiPBpWU" border="0"></img></a> <a href="http://feeds.feedburner.com/~ff/blogspot/HLRhI?a=trhO9GO8dqU:Jpr3Vb0OTT0:qj6IDK7rITs"><img src="http://feeds.feedburner.com/~ff/blogspot/HLRhI?d=qj6IDK7rITs" border="0"></img></a> <a href="http://feeds.feedburner.com/~ff/blogspot/HLRhI?a=trhO9GO8dqU:Jpr3Vb0OTT0:gIN9vFwOqvQ"><img src="http://feeds.feedburner.com/~ff/blogspot/HLRhI?i=trhO9GO8dqU:Jpr3Vb0OTT0:gIN9vFwOqvQ" border="0"></img></a> <a href="http://feeds.feedburner.com/~ff/blogspot/HLRhI?a=trhO9GO8dqU:Jpr3Vb0OTT0:TzevzKxY174"><img src="http://feeds.feedburner.com/~ff/blogspot/HLRhI?d=TzevzKxY174" border="0"></img></a>
</div><img src="http://feeds.feedburner.com/~r/blogspot/HLRhI/~4/trhO9GO8dqU" height="1" width="1" alt=""/>http://feedproxy.google.com/~r/blogspot/HLRhI/~3/trhO9GO8dqU/tips-for-information-security_11.htmlnoreply@blogger.com (Mattia Campagnano)0http://savvygeektips.blogspot.com/2017/12/tips-for-information-security_11.htmltag:blogger.com,1999:blog-2419284614709488194.post-136718376520403730Wed, 06 Dec 2017 14:43:00 +00002018-01-08T09:14:23.082-05:00hackingKali Linuxpentestingtips&tricksTips for an Information Security Analyst/Pentester career - Ep. 44: AV Evasion (pt 2)<div class="ennote"><div>Following up to my previous post <a href="https://savvygeektips.blogspot.com/2017/12/tips-for-information-security.html" target="_blank">Tips for an Information Security Analyst/Pentester career - Ep. 43: AV Evasion (pt. 1)</a>, we're going now to perform the same attack on a genuine Windows 10 machine, where all latest updates have been installed.</div><div><br /></div><iframe allow="encrypted-media" allowfullscreen="" frameborder="0" gesture="media" height="315" src="https://www.youtube.com/embed/gKGLtMoyr10" width="560"></iframe> <br /><div><br /><span style="font-style: italic;">Important step: network configuration</span></div><div><br /></div><div><span style="color: yellow;"><span style="font-weight: bold;">My Windows 10 was created on VirtualBox, while the attacking machine (Kali Linux v 3 2017) is a VMware Fusion VM.</span></span></div><div><br /></div><div><i>Yes, you read it right.</i></div><div><br /></div><div>I didn't have another Windows 10 license and I didn't feel like re-installing Veil on another Kali VM.</div><div><br /></div><div><span style="font-weight: bold;"><span style="color: yellow;">Two machines created with different virtualization software can communicate, as long as they're both in Bridged network mode</span><span style="color: yellow;">.</span></span></div><div><br /></div><div>This way, they all belong to same same network (wireless network, in my case) and can talk to each other.</div><div><br /></div><div><span style="color: yellow;">An important step is to configure the Virtualbox VM by allowing <span style="font-weight: bold;">promiscuous mode</span></span>, as displayed below.</div><div><br /></div><div><a href="http://4.bp.blogspot.com/-Ex14usf-SBo/Wif9k9DbxbI/AAAAAAAAFHo/rW5O858wEdIoJZImBR93pEW-FrY84le0gCK4BGAYYCw/s1600/91b7c3b962c5fbff6dc6f2a155008cd2-757234.png"><img alt="" border="0" height="462" id="BLOGGER_PHOTO_ID_6496439798811313586" src="https://4.bp.blogspot.com/-Ex14usf-SBo/Wif9k9DbxbI/AAAAAAAAFHo/rW5O858wEdIoJZImBR93pEW-FrY84le0gCK4BGAYYCw/s640/91b7c3b962c5fbff6dc6f2a155008cd2-757234.png" width="640" /></a></div><div><br /></div><div></div><div>We're going to use the same payload created in Veil as before ( through the&nbsp;<span style="font-style: italic;">python/shellcode_inject/aes_encrypt.py </span>exploit), which uses AES cryptography.</div><div><br /></div><div><a href="http://2.bp.blogspot.com/-CEI-AV5pdhw/Wif9ltZmXOI/AAAAAAAAFHw/mhW8-ZRIkmwX9v7m06DTK6N1_SZnYdPygCK4BGAYYCw/s1600/68548611f7688f7996e0ae6c1391e03b-761079.png"><img alt="" border="0" height="428" id="BLOGGER_PHOTO_ID_6496439811789184226" src="https://2.bp.blogspot.com/-CEI-AV5pdhw/Wif9ltZmXOI/AAAAAAAAFHw/mhW8-ZRIkmwX9v7m06DTK6N1_SZnYdPygCK4BGAYYCw/s640/68548611f7688f7996e0ae6c1391e03b-761079.png" width="640" /></a></div><div><br /></div><div>At that point, we must only setup a handler (<span style="font-style: italic;">multi/handler</span>) to pick up the reverse connection from the victim machine and open up a shell.</div><div><br /></div><div><span style="font-style: italic;">Exploitation</span></div><div><br /></div><div>We move to our Windows 10 target machine in order to download the malicious executable.</div><div><br /></div><div>A warning message pops up, but it's not a blocking warning and, additionally, the file isn't flagged as malware, unlike what happened when I tried downloading files generated by other tools.</div><div><br /></div><div>We can simply dismiss the warning by X'ing out of it.</div><div><br /></div><div><a href="http://3.bp.blogspot.com/-LyZSex2lWPw/Wif9mbPkQ_I/AAAAAAAAFH4/J0CvCe6y40cAFe5WPpOcSGTN1EgVJw-tACK4BGAYYCw/s1600/3dd0f2bbfaf9737ad71e187c571ce863-763698.png"><img alt="" border="0" height="54" id="BLOGGER_PHOTO_ID_6496439824095134706" src="https://3.bp.blogspot.com/-LyZSex2lWPw/Wif9mbPkQ_I/AAAAAAAAFH4/J0CvCe6y40cAFe5WPpOcSGTN1EgVJw-tACK4BGAYYCw/s640/3dd0f2bbfaf9737ad71e187c571ce863-763698.png" width="640" /></a></div><div><br /></div><div>This time around, though, another warning pops up. This isn't detecting the file as malware either, but it looks pretty bad.</div><div><br /></div><div>Most users would keep going regardless, though, if they thought that file was legit or helpful, and can also be convinced to do so through social engineering techniques.</div><div><br /></div><div><a href="http://2.bp.blogspot.com/-gl3pGgv-E-E/Wif9nZhfBeI/AAAAAAAAFIA/dQGEQbuugeEl6io7IOB5KlSe-sgjapOOACK4BGAYYCw/s1600/3c6cdf02467a722f3cda4a0cca71badb-767192.png"><img alt="" border="0" height="258" id="BLOGGER_PHOTO_ID_6496439840813286882" src="https://2.bp.blogspot.com/-gl3pGgv-E-E/Wif9nZhfBeI/AAAAAAAAFIA/dQGEQbuugeEl6io7IOB5KlSe-sgjapOOACK4BGAYYCw/s640/3c6cdf02467a722f3cda4a0cca71badb-767192.png" width="640" /></a></div><div><br /></div><div>We can run the executable normally by going to <span style="font-style: italic;">More info</span> and then clicking <i>Run anyway</i>, and we're able to obtain a Meterpreter session.</div><div><br /></div><div><a href="http://3.bp.blogspot.com/-LAmuzGRLoN8/Wif9n71CP-I/AAAAAAAAFII/HbfNC8YM5LgpowgfRoICFT3QUb1l8DqMQCK4BGAYYCw/s1600/0cd54ef1d3166e62c5aa64333230abb5-769965.png"><img alt="" border="0" height="250" id="BLOGGER_PHOTO_ID_6496439850022092770" src="https://3.bp.blogspot.com/-LAmuzGRLoN8/Wif9n71CP-I/AAAAAAAAFII/HbfNC8YM5LgpowgfRoICFT3QUb1l8DqMQCK4BGAYYCw/s640/0cd54ef1d3166e62c5aa64333230abb5-769965.png" width="640" /></a></div><div><br /></div><div><a href="http://3.bp.blogspot.com/-xhGxNnjxp4M/Wif9otlr2vI/AAAAAAAAFIQ/sRWhi9i5b5AwrGsbESYjaNwy3UNMK0y4gCK4BGAYYCw/s1600/fb5f45b708b29de2cedb173e1de83df8-772666.png"><img alt="" border="0" height="376" id="BLOGGER_PHOTO_ID_6496439863379483378" src="https://3.bp.blogspot.com/-xhGxNnjxp4M/Wif9otlr2vI/AAAAAAAAFIQ/sRWhi9i5b5AwrGsbESYjaNwy3UNMK0y4gCK4BGAYYCw/s640/fb5f45b708b29de2cedb173e1de83df8-772666.png" width="640" /></a></div><div><br /></div><div><span style="font-style: italic;">Privilege escalation</span></div><div><br /></div><div>We're in as a local user, which belongs to the <span style="font-style: italic;">Administrators</span> group, and this circumstance allows for a successful privilege escalation.</div><div><br /></div><div>For this purpose, we're going to use another exploit (<span style="font-style: italic;">exploit/windows/local/bypassuac_fodhelper</span>).</div><div>&nbsp;<a href="http://4.bp.blogspot.com/-YhH8GALs8NQ/Wif9paTB1aI/AAAAAAAAFIY/Vw6Zqu8KYz4ScFR0Hs1PLNUB1yXf-2lBACK4BGAYYCw/s1600/f19201accb3ca712049c27767c45efd0-775703.png"><img alt="" border="0" height="210" id="BLOGGER_PHOTO_ID_6496439875380827554" src="https://4.bp.blogspot.com/-YhH8GALs8NQ/Wif9paTB1aI/AAAAAAAAFIY/Vw6Zqu8KYz4ScFR0Hs1PLNUB1yXf-2lBACK4BGAYYCw/s640/f19201accb3ca712049c27767c45efd0-775703.png" width="640" /></a></div><div>For more information and the settings related to this specific exploit, check the embedded video.</div><div><br /></div><div>We're successful and another session is created for us,</div><div><br /></div><div><a href="http://2.bp.blogspot.com/-P5lu_PLU-Xg/Wif9qaTnE_I/AAAAAAAAFIg/JeM5kX-XeqQiCp4PdMbnO_K3qUkyGgX5ACK4BGAYYCw/s1600/3506a1d69be922399c26df8c0b3ea9c5-779640.png"><img alt="" border="0" height="238" id="BLOGGER_PHOTO_ID_6496439892563137522" src="https://2.bp.blogspot.com/-P5lu_PLU-Xg/Wif9qaTnE_I/AAAAAAAAFIg/JeM5kX-XeqQiCp4PdMbnO_K3qUkyGgX5ACK4BGAYYCw/s640/3506a1d69be922399c26df8c0b3ea9c5-779640.png" width="640" /></a></div><div><br /></div><div>This time around, our escalation with <span style="font-weight: bold;"><span style="color: yellow;">getsystem</span> </span>works.</div><div><a href="http://2.bp.blogspot.com/-4Dl3k00te4U/Wif9rQBv9ZI/AAAAAAAAFIo/iKcm2dgVld8rawM3Wof-MRy8m9zIp3ehQCK4BGAYYCw/s1600/73114d867e9e9f95f3b0ec18e9df63bf-782591.png"><img alt="" border="0" height="146" id="BLOGGER_PHOTO_ID_6496439906983736722" src="https://2.bp.blogspot.com/-4Dl3k00te4U/Wif9rQBv9ZI/AAAAAAAAFIo/iKcm2dgVld8rawM3Wof-MRy8m9zIp3ehQCK4BGAYYCw/s640/73114d867e9e9f95f3b0ec18e9df63bf-782591.png" width="640" /></a></div><div>We can also dump the password hashes by migrating to a process having a higher priority.</div><div><br /></div><div>I chose Windows Defender for this (who'd go and look for something there, right?) and this time around the operation was successful.</div><div><br /></div><div><a href="http://3.bp.blogspot.com/-KXLkgXv_TEE/Wif9sJnVznI/AAAAAAAAFIw/UbWRFjZOKAMU-PCFY55RQcIqsolAy-0AgCK4BGAYYCw/s1600/56d7b2109e27a45d595c76954d4c92b3-786349.png"><img alt="" border="0" height="166" id="BLOGGER_PHOTO_ID_6496439922442227314" src="https://3.bp.blogspot.com/-KXLkgXv_TEE/Wif9sJnVznI/AAAAAAAAFIw/UbWRFjZOKAMU-PCFY55RQcIqsolAy-0AgCK4BGAYYCw/s640/56d7b2109e27a45d595c76954d4c92b3-786349.png" width="640" /></a></div><div><br /></div><div><span style="font-style: italic;">Additional evasion layer: packers</span></div><div><br /></div><div>I was following a <a href="https://www.cybrary.it/course/malware-analysis/#">malware analysis class</a>, where I learned about another method malware uses to disguise malicious code: <span style="color: yellow;"><span style="font-weight: bold;">packers</span></span><span style="color: yellow;">.</span></div><div><br /></div><div>Therefore, I decided to compress the file created with Veil with a packer called <a href="https://upx.github.io/"><b>UPX</b></a>.&nbsp;</div><div><br /></div><div>It's a well-known packer, so I'm not very optimistic I can have a better outcome, but I decided to give it a go regardless.</div><div><br /></div><div>I copied my Veil payload to a Windows XP machine I use for that class, where I keep my specific tools, and proceeded to compress the file.</div><div><br /></div><div><a href="http://4.bp.blogspot.com/-gOHvfbw-Xds/Wif9sxTrguI/AAAAAAAAFI4/pSgbenBV-EYgZHdqriJ7zj1-lubhHInjQCK4BGAYYCw/s1600/c61c5f56faac7e2688b1f80fe582a334-789246.png"><img alt="" border="0" height="314" id="BLOGGER_PHOTO_ID_6496439933097181922" src="https://4.bp.blogspot.com/-gOHvfbw-Xds/Wif9sxTrguI/AAAAAAAAFI4/pSgbenBV-EYgZHdqriJ7zj1-lubhHInjQCK4BGAYYCw/s640/c61c5f56faac7e2688b1f80fe582a334-789246.png" width="640" /></a></div><div><br /></div><div>Sadly, like I said, we're out of luck, as we used a well-known packer (<span style="font-style: italic;">watch the embedded video for more details</span>).</div><div><br /></div><div>I reserve to update this post by using multiple packers or other evasion techniques</div><div><br /></div><div><span style="font-style: italic;">Wrap-up</span></div><div><br /></div><div>Antivirus software is very important and helpful, but not flawless, as it's mostly based on viral signatures, i.e. hashes.</div><div><br /></div><div>If a file doesn't contain those patterns or it's been created through methods disguising the viral code, it might easily slip through undetected.</div><div><br /></div><div>The specific AV software used can make a big difference, but your paranoia is your best defense first and foremost.</div><div><br /></div><div>Make sure to install <b>ALL</b> security updates, whenever they pop up.</div><div><br /></div><div>Don't be lazy about it because any updates close specific vulnerabilities an attacker can leverage in order to hack you.</div><div><br /></div><div>But, regardless of the updating process, a healthy distrust is the best option for you to stay safe.</div><div><br /></div><div>Don't run anything you're 100% sure of and, even when you're 100% sure, linger a second and think about it once more.</div><div><br /></div><div>A click can't be undone, but a missed click can save your day and maybe your business, your career or your very life sometimes.<br /><br />Attacks like this explain, much better than thousand words, why security awareness in an organization is paramount.<br /><br /><b><a href="https://savvygeektips.blogspot.com/2017/12/tips-for-information-security_11.html">Episode 45 </a></b></div></div><script> (function(i,s,o,g,r,a,m){i['GoogleAnalyticsObject']=r;i[r]=i[r]||function(){ (i[r].q=i[r].q||[]).push(arguments)},i[r].l=1*new Date();a=s.createElement(o), m=s.getElementsByTagName(o)[0];a.async=1;a.src=g;m.parentNode.insertBefore(a,m) })(window,document,'script','//www.google-analytics.com/analytics.js','ga'); ga('create', 'UA-45941375-1', 'savvygeektips.blogspot.com'); ga('send', 'pageview'); </script> <div class="blogger-post-footer"><hr />
<a href="http://savvygeektips.blogspot.com>One Tip A Day Tech Blog</a></div><div class="feedflare">
<a href="http://feeds.feedburner.com/~ff/blogspot/HLRhI?a=50jDC3mw8Ec:MeE9vgyYTSQ:yIl2AUoC8zA"><img src="http://feeds.feedburner.com/~ff/blogspot/HLRhI?d=yIl2AUoC8zA" border="0"></img></a> <a href="http://feeds.feedburner.com/~ff/blogspot/HLRhI?a=50jDC3mw8Ec:MeE9vgyYTSQ:63t7Ie-LG7Y"><img src="http://feeds.feedburner.com/~ff/blogspot/HLRhI?d=63t7Ie-LG7Y" border="0"></img></a> <a href="http://feeds.feedburner.com/~ff/blogspot/HLRhI?a=50jDC3mw8Ec:MeE9vgyYTSQ:dnMXMwOfBR0"><img src="http://feeds.feedburner.com/~ff/blogspot/HLRhI?d=dnMXMwOfBR0" border="0"></img></a> <a href="http://feeds.feedburner.com/~ff/blogspot/HLRhI?a=50jDC3mw8Ec:MeE9vgyYTSQ:F7zBnMyn0Lo"><img src="http://feeds.feedburner.com/~ff/blogspot/HLRhI?i=50jDC3mw8Ec:MeE9vgyYTSQ:F7zBnMyn0Lo" border="0"></img></a> <a href="http://feeds.feedburner.com/~ff/blogspot/HLRhI?a=50jDC3mw8Ec:MeE9vgyYTSQ:7Q72WNTAKBA"><img src="http://feeds.feedburner.com/~ff/blogspot/HLRhI?d=7Q72WNTAKBA" border="0"></img></a> <a href="http://feeds.feedburner.com/~ff/blogspot/HLRhI?a=50jDC3mw8Ec:MeE9vgyYTSQ:V_sGLiPBpWU"><img src="http://feeds.feedburner.com/~ff/blogspot/HLRhI?i=50jDC3mw8Ec:MeE9vgyYTSQ:V_sGLiPBpWU" border="0"></img></a> <a href="http://feeds.feedburner.com/~ff/blogspot/HLRhI?a=50jDC3mw8Ec:MeE9vgyYTSQ:qj6IDK7rITs"><img src="http://feeds.feedburner.com/~ff/blogspot/HLRhI?d=qj6IDK7rITs" border="0"></img></a> <a href="http://feeds.feedburner.com/~ff/blogspot/HLRhI?a=50jDC3mw8Ec:MeE9vgyYTSQ:gIN9vFwOqvQ"><img src="http://feeds.feedburner.com/~ff/blogspot/HLRhI?i=50jDC3mw8Ec:MeE9vgyYTSQ:gIN9vFwOqvQ" border="0"></img></a> <a href="http://feeds.feedburner.com/~ff/blogspot/HLRhI?a=50jDC3mw8Ec:MeE9vgyYTSQ:TzevzKxY174"><img src="http://feeds.feedburner.com/~ff/blogspot/HLRhI?d=TzevzKxY174" border="0"></img></a>
</div><img src="http://feeds.feedburner.com/~r/blogspot/HLRhI/~4/50jDC3mw8Ec" height="1" width="1" alt=""/>http://feedproxy.google.com/~r/blogspot/HLRhI/~3/50jDC3mw8Ec/tips-for-information-security_6.htmlnoreply@blogger.com (Mattia Campagnano)0http://savvygeektips.blogspot.com/2017/12/tips-for-information-security_6.htmltag:blogger.com,1999:blog-2419284614709488194.post-3643973891665621687Tue, 05 Dec 2017 14:00:00 +00002017-12-06T10:28:48.643-05:00troubleshootingVirtualBoxvirtualizationVMwareClone and resize a VirtualBox Windows virtual machine keeping its activation<div class="ennote"><div><span style="font-style: italic;">Problem</span></div><div><br /></div><div>A while ago I created a genuine Windows 10 VM, assigning it what I thought it might be a sufficient disk space.<br /><br />Sadly, over time, the available disk space had become so largely insufficient to eventually preventing me from installing Windows updates.<br /><br />The obvious solution to the issue is to resize the VM.</div><div><br /></div><div>You can resize a VirtualBox machine from command line, only provided you don't have any saved snapshots.</div><div><br /></div><div>Sadly, I had saved a snapshot I couldn't get rid of.</div><div><br /></div><iframe allow="encrypted-media" allowfullscreen="" frameborder="0" gesture="media" height="315" src="https://www.youtube.com/embed/PVh-9glqrJQ" width="560"></iframe> <br /><div><br /><span style="font-style: italic;">Solution</span></div><div><br /></div><div>The easiest way to solve this problem is to clone the machine by selecting <span style="font-style: italic;">Current Machine State&nbsp;</span>option, so that the previous snapshots will not be carried over to the clone machine.&nbsp;</div><div><br /></div><div><a href="http://2.bp.blogspot.com/-5D3NI93e7U0/WiXEwm4YFGI/AAAAAAAAFGc/SJcFIphkJvMGPn-3r2xai8t6mGV8F5rKACK4BGAYYCw/s1600/753bbbd5d0a20c9060603c626efafc4e-739187.png"><img alt="" border="0" height="450" id="BLOGGER_PHOTO_ID_6495814376901579874" src="https://2.bp.blogspot.com/-5D3NI93e7U0/WiXEwm4YFGI/AAAAAAAAFGc/SJcFIphkJvMGPn-3r2xai8t6mGV8F5rKACK4BGAYYCw/s640/753bbbd5d0a20c9060603c626efafc4e-739187.png" width="640" /></a></div><div><span style="color: yellow;"><b>Though this approach solves the problem related to removing the snapshots, it presents another challenge: cloning the machine will cause the VM to lose its Windows activation.</b></span></div><div><br /></div><div><i>Keeping Windows activation</i></div><div><br /></div><div>In order to keep our Windows activation, we need to perform two steps,&nbsp; after creating the clone.<br /><br /><b>BEFORE</b> starting the clone VM:</div><div><ol><li><i>View the hardware uuid of the original machine, through the command&nbsp;</i><b><i>VBoxManage showvminfo "Original VM name</i>"</b> (in my case "<i>Windows 10</i>". <span style="color: yellow;"><b><u>NOTE:</u></b><b><u><b><u> If </u></b>the VM name </u></b><b><u><b><u>contains spaces, </u></b></u></b><b><u><b><u>you need to enclose </u></b>within quotes</u></b>).&nbsp;</span><a href="http://1.bp.blogspot.com/-ZVCKKRcvjPE/WiXExe8093I/AAAAAAAAFGk/dlvO7RWtcOkocVsPgQkS6B2hoZvwGbTVwCK4BGAYYCw/s1600/92057aa3331a67238f7e6ddfa4723283-743375.png"><img alt="" border="0" height="313" id="BLOGGER_PHOTO_ID_6495814391952635762" src="https://1.bp.blogspot.com/-ZVCKKRcvjPE/WiXExe8093I/AAAAAAAAFGk/dlvO7RWtcOkocVsPgQkS6B2hoZvwGbTVwCK4BGAYYCw/s640/92057aa3331a67238f7e6ddfa4723283-743375.png" width="640" /></a></li><li><i>Copy that hardware UUID to the newly cloned machine, through the command&nbsp;<span style="color: yellow;"><b>VBoxManage modifyvm "Cloned VM name" --hardwareuuid xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx</b></span> (the way this command looks like in my case is shown below).<a href="http://3.bp.blogspot.com/-OVlx2CJwcPc/WiXEyTjSSAI/AAAAAAAAFGs/KpCwtXnOxlgT4XhvOm1-7_Vbz2rGaijjACK4BGAYYCw/s1600/34b09b98dbc2ccde580466ff82d50603-746948.png"><img alt="" border="0" height="28" id="BLOGGER_PHOTO_ID_6495814406072584194" src="https://3.bp.blogspot.com/-OVlx2CJwcPc/WiXEyTjSSAI/AAAAAAAAFGs/KpCwtXnOxlgT4XhvOm1-7_Vbz2rGaijjACK4BGAYYCw/s640/34b09b98dbc2ccde580466ff82d50603-746948.png" width="640" /></a></i></li></ol></div><div></div><div><i>Resizing the virtual hard drive</i></div><div><i><br /></i></div><div>From&nbsp;command line, we need to run&nbsp;<b><span style="color: yellow;">VBoxManage modifyhd &lt;path to the vdi file&gt;&nbsp;—resize &lt;size in MB&gt;</span>, </b>which in my case looks as follows:</div><div><a href="http://3.bp.blogspot.com/-g67HEwSR_aA/WiXEzCuD0QI/AAAAAAAAFG0/U6FwzWX0-3olDLGkjWLLUiAYyD3onbEkgCK4BGAYYCw/s1600/760152dadac53cb9e5c5d4363d20baae-749901.png"><img alt="" border="0" height="52" id="BLOGGER_PHOTO_ID_6495814418734240002" src="https://3.bp.blogspot.com/-g67HEwSR_aA/WiXEzCuD0QI/AAAAAAAAFG0/U6FwzWX0-3olDLGkjWLLUiAYyD3onbEkgCK4BGAYYCw/s640/760152dadac53cb9e5c5d4363d20baae-749901.png" width="640" /></a></div><div><br /></div><div>If we check back the properties for our virtual disk drive, nothing seems to have changed.</div><div><br /></div><div>We need to start our new VM and go to <i>Disk Management.</i></div><div><br /></div><div>The command we performed created a large unallocated space, which wasn't added to our system partition.</div><div><br /></div><div>Therefore, we need to right-click our C: partition and choose <i>extend</i> in order to to use the unallocated space and enlarge our system partition.</div><div><br /></div><div>This solution solves the disk space issue by maintaining, at the same time, our activation status.<br /><br /><i><a href="https://superuser.com/questions/472951/make-a-clone-of-virtualbox-machine-that-doesnt-cause-windows-re-activation-afte" target="_blank">External sources</a></i> <br /><br /><br /><a href="http://3.bp.blogspot.com/-IngbNpdRi1w/WiXEz3mIK9I/AAAAAAAAFG8/MssvnJ8cnBMPDsSEdexhyplMBa6HrM0LgCK4BGAYYCw/s1600/227d6b4d467838a24df5cb593fbb7e7b-753856.png"><img alt="" border="0" height="430" id="BLOGGER_PHOTO_ID_6495814432928050130" src="https://3.bp.blogspot.com/-IngbNpdRi1w/WiXEz3mIK9I/AAAAAAAAFG8/MssvnJ8cnBMPDsSEdexhyplMBa6HrM0LgCK4BGAYYCw/s640/227d6b4d467838a24df5cb593fbb7e7b-753856.png" width="640" /></a></div><div><br /><br /><br /><br /><a href="http://3.bp.blogspot.com/-R6HwE3-LhQo/WiXE0rzxRhI/AAAAAAAAFHE/uNZPT7onGvwAfzqsnSNp42gzycJQRpJvgCK4BGAYYCw/s1600/9f62e0a2ce3385633a7d8c9f267f2884-756695.png"><img alt="" border="0" height="524" id="BLOGGER_PHOTO_ID_6495814446943913490" src="https://3.bp.blogspot.com/-R6HwE3-LhQo/WiXE0rzxRhI/AAAAAAAAFHE/uNZPT7onGvwAfzqsnSNp42gzycJQRpJvgCK4BGAYYCw/s640/9f62e0a2ce3385633a7d8c9f267f2884-756695.png" width="640" /></a></div></div><script> (function(i,s,o,g,r,a,m){i['GoogleAnalyticsObject']=r;i[r]=i[r]||function(){ (i[r].q=i[r].q||[]).push(arguments)},i[r].l=1*new Date();a=s.createElement(o), m=s.getElementsByTagName(o)[0];a.async=1;a.src=g;m.parentNode.insertBefore(a,m) })(window,document,'script','//www.google-analytics.com/analytics.js','ga'); ga('create', 'UA-45941375-1', 'savvygeektips.blogspot.com'); ga('send', 'pageview'); </script> <div class="blogger-post-footer"><hr />
<a href="http://savvygeektips.blogspot.com>One Tip A Day Tech Blog</a></div><div class="feedflare">
<a href="http://feeds.feedburner.com/~ff/blogspot/HLRhI?a=8SuIB5j9fgY:99XS1PrdOx8:yIl2AUoC8zA"><img src="http://feeds.feedburner.com/~ff/blogspot/HLRhI?d=yIl2AUoC8zA" border="0"></img></a> <a href="http://feeds.feedburner.com/~ff/blogspot/HLRhI?a=8SuIB5j9fgY:99XS1PrdOx8:63t7Ie-LG7Y"><img src="http://feeds.feedburner.com/~ff/blogspot/HLRhI?d=63t7Ie-LG7Y" border="0"></img></a> <a href="http://feeds.feedburner.com/~ff/blogspot/HLRhI?a=8SuIB5j9fgY:99XS1PrdOx8:dnMXMwOfBR0"><img src="http://feeds.feedburner.com/~ff/blogspot/HLRhI?d=dnMXMwOfBR0" border="0"></img></a> <a href="http://feeds.feedburner.com/~ff/blogspot/HLRhI?a=8SuIB5j9fgY:99XS1PrdOx8:F7zBnMyn0Lo"><img src="http://feeds.feedburner.com/~ff/blogspot/HLRhI?i=8SuIB5j9fgY:99XS1PrdOx8:F7zBnMyn0Lo" border="0"></img></a> <a href="http://feeds.feedburner.com/~ff/blogspot/HLRhI?a=8SuIB5j9fgY:99XS1PrdOx8:7Q72WNTAKBA"><img src="http://feeds.feedburner.com/~ff/blogspot/HLRhI?d=7Q72WNTAKBA" border="0"></img></a> <a href="http://feeds.feedburner.com/~ff/blogspot/HLRhI?a=8SuIB5j9fgY:99XS1PrdOx8:V_sGLiPBpWU"><img src="http://feeds.feedburner.com/~ff/blogspot/HLRhI?i=8SuIB5j9fgY:99XS1PrdOx8:V_sGLiPBpWU" border="0"></img></a> <a href="http://feeds.feedburner.com/~ff/blogspot/HLRhI?a=8SuIB5j9fgY:99XS1PrdOx8:qj6IDK7rITs"><img src="http://feeds.feedburner.com/~ff/blogspot/HLRhI?d=qj6IDK7rITs" border="0"></img></a> <a href="http://feeds.feedburner.com/~ff/blogspot/HLRhI?a=8SuIB5j9fgY:99XS1PrdOx8:gIN9vFwOqvQ"><img src="http://feeds.feedburner.com/~ff/blogspot/HLRhI?i=8SuIB5j9fgY:99XS1PrdOx8:gIN9vFwOqvQ" border="0"></img></a> <a href="http://feeds.feedburner.com/~ff/blogspot/HLRhI?a=8SuIB5j9fgY:99XS1PrdOx8:TzevzKxY174"><img src="http://feeds.feedburner.com/~ff/blogspot/HLRhI?d=TzevzKxY174" border="0"></img></a>
</div><img src="http://feeds.feedburner.com/~r/blogspot/HLRhI/~4/8SuIB5j9fgY" height="1" width="1" alt=""/>http://feedproxy.google.com/~r/blogspot/HLRhI/~3/8SuIB5j9fgY/clone-and-resize-virtualbox-windows.htmlnoreply@blogger.com (Mattia Campagnano)0http://savvygeektips.blogspot.com/2017/12/clone-and-resize-virtualbox-windows.htmltag:blogger.com,1999:blog-2419284614709488194.post-3274501034013376637Tue, 05 Dec 2017 02:06:00 +00002017-12-06T09:44:07.938-05:00cybersecurityhackingpentestingtips&tricksTips for an Information Security Analyst/Pentester career - Ep. 43: AV Evasion (pt.1)<div class="ennote"><div>In this post we'll analyze how to make our payloads less detectable through antivirus evasion.</div><div><br /></div><div>For this purpose, we're going to use a tool called <span style="font-style: italic;">Veil&nbsp; </span>(former <span style="font-style: italic;">Veil – Evasion</span>), mainly based on Python and following the Metasploit structure (though the current version doesn't look as Metasploit-ish as it was before).</div><iframe allow="encrypted-media" allowfullscreen="" frameborder="0" gesture="media" height="315" src="https://www.youtube.com/embed/sptcA1ukglg" width="560"></iframe> <br /><div><br /></div><div><span style="font-style: italic;">Prep&nbsp;</span></div><div><br /></div><div><span style="font-style: italic;">Veil </span>contains several exploits.</div><div><br /></div><div>In this case, we choose the number 29 (<span style="font-style: italic;">python/shellcode_inject/aes_encrypt.py</span>), which encrypts its own payload with AES cryptography.</div><div><br /></div><div><a href="http://3.bp.blogspot.com/-1-QirvNpYj0/WiSfuWoX-HI/AAAAAAAAFFc/rmg9wnSmdegTi3Fuhoe2X4UtsPP5hkfYACK4BGAYYCw/s1600/68548611f7688f7996e0ae6c1391e03b-722085.png"><img alt="" border="0" height="428" id="BLOGGER_PHOTO_ID_6495492181272819826" src="https://3.bp.blogspot.com/-1-QirvNpYj0/WiSfuWoX-HI/AAAAAAAAFFc/rmg9wnSmdegTi3Fuhoe2X4UtsPP5hkfYACK4BGAYYCw/s640/68548611f7688f7996e0ae6c1391e03b-722085.png" width="640" /></a></div><div><br /></div><div>You'll notice in the above screenshot that we used a reverse shell payload, based on the IP address of our Kali VM, listening on port 5600.</div><div><br /></div><div>The command generates an executable that we copy to the Web server directory.&nbsp;</div><div><br /></div><div>At that point, we must only setup a handler (<span style="font-style: italic;">multi/handler</span>) to pick up the reverse connection from the victim machine and open up a shell.</div><div><br /></div><div><span style="font-style: italic;">Exploitation</span></div><div><br /></div><div>We move to our Windows 10 target machine in order to download the malicious executable.</div><div><br /></div><div>A warning message pops up, but it's not a blocking warning and, additionally, the file isn't flagged as malware, unlike what happened when I tried downloading files generated by other tools.</div><div><br /></div><div>We can simply dismiss the warning by X'ing out of it.</div><div><br /></div><div><a href="http://2.bp.blogspot.com/-5vOzbGZ-p6s/WiSfvN5z3lI/AAAAAAAAFFk/UQJQbNoHMjAJVqZ2FGCOyvuGTTR4LVDugCK4BGAYYCw/s1600/3dd0f2bbfaf9737ad71e187c571ce863-726606.png"><img alt="" border="0" height="54" id="BLOGGER_PHOTO_ID_6495492196109901394" src="https://2.bp.blogspot.com/-5vOzbGZ-p6s/WiSfvN5z3lI/AAAAAAAAFFk/UQJQbNoHMjAJVqZ2FGCOyvuGTTR4LVDugCK4BGAYYCw/s640/3dd0f2bbfaf9737ad71e187c571ce863-726606.png" width="640" /></a></div><div><br /></div><div>Most users would keep going regardless, if they thought that file was legit or helpful, and can also be convinced to do so through social engineering techniques.</div><div><br /></div><div>In fact, we're able to run the executable normally and to open up a Meterpreter session.</div><div><br /></div><div><a href="http://1.bp.blogspot.com/-f54eL9dfGnU/WiSfwOrummI/AAAAAAAAFFs/IMz1fx6_prwxfWcWXaaoDav1WA2XCHSNQCK4BGAYYCw/s1600/fb5f45b708b29de2cedb173e1de83df8-730554.png"><img alt="" border="0" height="376" id="BLOGGER_PHOTO_ID_6495492213499140706" src="https://1.bp.blogspot.com/-f54eL9dfGnU/WiSfwOrummI/AAAAAAAAFFs/IMz1fx6_prwxfWcWXaaoDav1WA2XCHSNQCK4BGAYYCw/s640/fb5f45b708b29de2cedb173e1de83df8-730554.png" width="640" /></a></div><div><br /></div><div><span style="font-style: italic;">Privilege escalation</span></div><div><br /></div><div>We're in as a local user, which belongs to the <span style="font-style: italic;">Administrators</span> group, and this circumstance allows for a successful privilege escalation.</div><div><br /></div><div>For this purpose, we're going to use another exploit (<span style="font-style: italic;">exploit/windows/local/bypassuac_fodhelper</span>).</div><div>&nbsp;<a href="http://1.bp.blogspot.com/-uUywCSNd-DA/WiSfw1Pzt8I/AAAAAAAAFF0/89BYT3z79rQFlBIKY5eXRPnKXDMFblcGACK4BGAYYCw/s1600/f19201accb3ca712049c27767c45efd0-733806.png"><img alt="" border="0" height="210" id="BLOGGER_PHOTO_ID_6495492223851018178" src="https://1.bp.blogspot.com/-uUywCSNd-DA/WiSfw1Pzt8I/AAAAAAAAFF0/89BYT3z79rQFlBIKY5eXRPnKXDMFblcGACK4BGAYYCw/s640/f19201accb3ca712049c27767c45efd0-733806.png" width="640" /></a></div><div><i>For more information and the settings related to this specific exploit, check the embedded video.</i></div><div><br /></div><div>We're successful and another session is created for us,</div><div><br /></div><div><a href="http://2.bp.blogspot.com/-TKZKWeSfWXM/WiSfx91EYRI/AAAAAAAAFF8/UlnZTIFZLfwUa7oFwMN6yUe2paAxUzUrACK4BGAYYCw/s1600/3506a1d69be922399c26df8c0b3ea9c5-737499.png"><img alt="" border="0" height="238" id="BLOGGER_PHOTO_ID_6495492243334652178" src="https://2.bp.blogspot.com/-TKZKWeSfWXM/WiSfx91EYRI/AAAAAAAAFF8/UlnZTIFZLfwUa7oFwMN6yUe2paAxUzUrACK4BGAYYCw/s640/3506a1d69be922399c26df8c0b3ea9c5-737499.png" width="640" /></a></div><div><br /></div><div>This time around, our escalation with <span style="font-weight: bold;"><span style="color: yellow;">getsystem</span> </span>works.</div><div><a href="http://2.bp.blogspot.com/-mRitFLeq0DM/WiSfy9GwMbI/AAAAAAAAFGE/dCT9KtyOnLcZmEoDZ4n5Fxbre7bpy7aVwCK4BGAYYCw/s1600/73114d867e9e9f95f3b0ec18e9df63bf-741588.png"><img alt="" border="0" height="146" id="BLOGGER_PHOTO_ID_6495492260320260530" src="https://2.bp.blogspot.com/-mRitFLeq0DM/WiSfy9GwMbI/AAAAAAAAFGE/dCT9KtyOnLcZmEoDZ4n5Fxbre7bpy7aVwCK4BGAYYCw/s640/73114d867e9e9f95f3b0ec18e9df63bf-741588.png" width="640" /></a></div><div>We can also dump the password hashes by migrating to a process having a higher priority.</div><div><br /></div><div>I chose Windows Defender for this (who'd go and look for something there, right?) and this time around the operation was successful.</div><div><br /></div><div><a href="http://3.bp.blogspot.com/-XU3oobg2Kqs/WiSfz_r5ZZI/AAAAAAAAFGM/m7SO88ypBWAAxTPtow4Hf0M6t31WBY34gCK4BGAYYCw/s1600/56d7b2109e27a45d595c76954d4c92b3-745221.png"><img alt="" border="0" height="166" id="BLOGGER_PHOTO_ID_6495492278192792978" src="https://3.bp.blogspot.com/-XU3oobg2Kqs/WiSfz_r5ZZI/AAAAAAAAFGM/m7SO88ypBWAAxTPtow4Hf0M6t31WBY34gCK4BGAYYCw/s640/56d7b2109e27a45d595c76954d4c92b3-745221.png" width="640" /></a></div><div>At this point, we add another user, called <span style="font-style: italic;">hacker,</span> to the system.</div><div><br /></div><div>We can have a more granular control of the system by running a Windows shell with the <span style="font-style: italic;">shell</span> command and this way we add <span style="font-style: italic;">hacker</span> to the <span style="font-style: italic;">Administrators</span> localgroup.</div><div><br /></div><div><span style="font-style: italic;">Wrap-up</span></div><div><br /></div><div>Antivirus software is very important and helpful, but not flawless, as it's mostly based on viral signatures, i.e. hashes.</div><div><br /></div><div>If a file doesn't contain those patterns or it's been created through methods disguising the viral code, it might easily slip through undetected.</div><div><br /></div><div>The specific AV software used can make a big difference, but your paranoia is your best defense first and foremost.</div><div><br /></div><div>Make sure to install ALL security updates, whenever they pop up.</div><div><br /></div><div>Don't be lazy about it because any updates close specific vulnerabilities an attacker can leverage in order to hack you.<br /><br />My victim machine was an unactivated Windows 10 VM, so I couldn't install any Windows updates.<br /><br />I'm working on resizing a genuine Windows 10 VirtualBox VM, so I can update it and test this attack against it, therefore I reserve to update this post.<br /><br />Home users are forced to go through automatic updates and there's not a lot they can do about it, but corporate customers have more say in the matter.</div><div><br /></div><div>However, regardless of the updating process, a healthy distrust is the best option for you to stay safe.</div><div><br /></div><div>Don't run anything you're 100% sure of and, even when you're 100% sure, linger a second and think about it once more.</div><div><br /></div><div>A click can't be undone, but a missed click can save your day and maybe your business, your career or, sometimes, your very life.<br /><br /><b><a href="https://savvygeektips.blogspot.com/2017/12/tips-for-information-security_6.html">Episode 44</a></b> <br /><br /><b><a href="https://savvygeektips.blogspot.com/2017/11/tips-for-information-security_30.html" target="_blank">Episode 42 </a></b></div></div><script> (function(i,s,o,g,r,a,m){i['GoogleAnalyticsObject']=r;i[r]=i[r]||function(){ (i[r].q=i[r].q||[]).push(arguments)},i[r].l=1*new Date();a=s.createElement(o), m=s.getElementsByTagName(o)[0];a.async=1;a.src=g;m.parentNode.insertBefore(a,m) })(window,document,'script','//www.google-analytics.com/analytics.js','ga'); ga('create', 'UA-45941375-1', 'savvygeektips.blogspot.com'); ga('send', 'pageview'); </script> <div class="blogger-post-footer"><hr />
<a href="http://savvygeektips.blogspot.com>One Tip A Day Tech Blog</a></div><div class="feedflare">
<a href="http://feeds.feedburner.com/~ff/blogspot/HLRhI?a=VctvFTyKFyA:fraFDjwQ_cY:yIl2AUoC8zA"><img src="http://feeds.feedburner.com/~ff/blogspot/HLRhI?d=yIl2AUoC8zA" border="0"></img></a> <a href="http://feeds.feedburner.com/~ff/blogspot/HLRhI?a=VctvFTyKFyA:fraFDjwQ_cY:63t7Ie-LG7Y"><img src="http://feeds.feedburner.com/~ff/blogspot/HLRhI?d=63t7Ie-LG7Y" border="0"></img></a> <a href="http://feeds.feedburner.com/~ff/blogspot/HLRhI?a=VctvFTyKFyA:fraFDjwQ_cY:dnMXMwOfBR0"><img src="http://feeds.feedburner.com/~ff/blogspot/HLRhI?d=dnMXMwOfBR0" border="0"></img></a> <a href="http://feeds.feedburner.com/~ff/blogspot/HLRhI?a=VctvFTyKFyA:fraFDjwQ_cY:F7zBnMyn0Lo"><img src="http://feeds.feedburner.com/~ff/blogspot/HLRhI?i=VctvFTyKFyA:fraFDjwQ_cY:F7zBnMyn0Lo" border="0"></img></a> <a href="http://feeds.feedburner.com/~ff/blogspot/HLRhI?a=VctvFTyKFyA:fraFDjwQ_cY:7Q72WNTAKBA"><img src="http://feeds.feedburner.com/~ff/blogspot/HLRhI?d=7Q72WNTAKBA" border="0"></img></a> <a href="http://feeds.feedburner.com/~ff/blogspot/HLRhI?a=VctvFTyKFyA:fraFDjwQ_cY:V_sGLiPBpWU"><img src="http://feeds.feedburner.com/~ff/blogspot/HLRhI?i=VctvFTyKFyA:fraFDjwQ_cY:V_sGLiPBpWU" border="0"></img></a> <a href="http://feeds.feedburner.com/~ff/blogspot/HLRhI?a=VctvFTyKFyA:fraFDjwQ_cY:qj6IDK7rITs"><img src="http://feeds.feedburner.com/~ff/blogspot/HLRhI?d=qj6IDK7rITs" border="0"></img></a> <a href="http://feeds.feedburner.com/~ff/blogspot/HLRhI?a=VctvFTyKFyA:fraFDjwQ_cY:gIN9vFwOqvQ"><img src="http://feeds.feedburner.com/~ff/blogspot/HLRhI?i=VctvFTyKFyA:fraFDjwQ_cY:gIN9vFwOqvQ" border="0"></img></a> <a href="http://feeds.feedburner.com/~ff/blogspot/HLRhI?a=VctvFTyKFyA:fraFDjwQ_cY:TzevzKxY174"><img src="http://feeds.feedburner.com/~ff/blogspot/HLRhI?d=TzevzKxY174" border="0"></img></a>
</div><img src="http://feeds.feedburner.com/~r/blogspot/HLRhI/~4/VctvFTyKFyA" height="1" width="1" alt=""/>http://feedproxy.google.com/~r/blogspot/HLRhI/~3/VctvFTyKFyA/tips-for-information-security.htmlnoreply@blogger.com (Mattia Campagnano)0http://savvygeektips.blogspot.com/2017/12/tips-for-information-security.htmltag:blogger.com,1999:blog-2419284614709488194.post-8413542996605418444Thu, 30 Nov 2017 14:00:00 +00002017-12-04T08:40:27.607-05:00cybersecurityhackingpentestingtips&tricksTips for an Information Security Analyst/Pentester career - Ep. 42: Client-side attacks (pt. 3)<div class="ennote"><div>This time we're going to analyze a client-side attacks actioned by a buffer overflow exploit (<i>exploit/windows/fileformat/winamp_maki_bof</i>), delivered through a vulnerable Winamp version, available <a href="https://filehippo.com/download_winamp/5305/">here</a>.</div><div><br /></div><div><a href="http://4.bp.blogspot.com/-qllDnRTAKgM/Wh9Mc027qnI/AAAAAAAAFEs/kvDfgpzuBI8CgEf38JHLPvLAYfnveZ5qwCK4BGAYYCw/s1600/92cb4cc56977ea42057083d78217a1a4-725259.png"><img alt="" border="0" height="504" id="BLOGGER_PHOTO_ID_6493993245800639090" src="https://4.bp.blogspot.com/-qllDnRTAKgM/Wh9Mc027qnI/AAAAAAAAFEs/kvDfgpzuBI8CgEf38JHLPvLAYfnveZ5qwCK4BGAYYCw/s640/92cb4cc56977ea42057083d78217a1a4-725259.png" width="640" /></a></div><div>This module creates a malicious script to be placed inside the "scripts" subdirectory in Winamp.</div><iframe allow="encrypted-media" allowfullscreen="" frameborder="0" gesture="media" height="315" src="https://www.youtube.com/embed/PLXqheC1aR0" width="560"></iframe> <br /><div><br /></div><div>This fictitious skin, when run, will deliver a buffer overflow.</div><div><br /></div><div>We setup our usual reverse shell payload, configuring LPORT as our Kali VM's IP address.</div><div><br /></div><div>The exploit creates a file in the root directory.</div><div><br /></div><div><a href="http://3.bp.blogspot.com/-9VgZHH7NdDA/Wh9MdoBjXGI/AAAAAAAAFE0/U72ARQfVVIk2VRp8ciSPh76i6XSWQgmMACK4BGAYYCw/s1600/2af1f5b521ccab74a27bec9cbcad813e-728591.png"><img alt="" border="0" height="426" id="BLOGGER_PHOTO_ID_6493993259535391842" src="https://3.bp.blogspot.com/-9VgZHH7NdDA/Wh9MdoBjXGI/AAAAAAAAFE0/U72ARQfVVIk2VRp8ciSPh76i6XSWQgmMACK4BGAYYCw/s640/2af1f5b521ccab74a27bec9cbcad813e-728591.png" width="640" /></a></div><div>Moving to our Windows 7 VM, we need to copy the <i>C:\Program Files (x86)\Winamp\Skins\Bento</i> directory to our Kali VM.</div><div><br /></div><div>In Kali, we copy the file created with Metasploit inside the <i>Bento\Scripts</i> folder, after renaming<i> Bento</i>&nbsp; to&nbsp; <i>Rocketship</i>.&nbsp;</div><div><br /></div><div><a href="http://3.bp.blogspot.com/-YFH2ncoNthQ/Wh9Mek9bafI/AAAAAAAAFE8/BJ1873SQaIwE9j3TSE4I-G8Gr91mTe0oQCK4BGAYYCw/s1600/8ee814f9fd57edbbc756fb5b62be86e6-731902.png"><img alt="" border="0" height="244" id="BLOGGER_PHOTO_ID_6493993275892656626" src="https://3.bp.blogspot.com/-YFH2ncoNthQ/Wh9Mek9bafI/AAAAAAAAFE8/BJ1873SQaIwE9j3TSE4I-G8Gr91mTe0oQCK4BGAYYCw/s640/8ee814f9fd57edbbc756fb5b62be86e6-731902.png" width="640" /></a></div><div>Then, we zip the <i>Rocketship</i> folder and copy it to<i> /var/www/html.</i></div><div><br /></div><div>We setup a handler (<i>multi/handler</i>) to pick up the reverse connection from the victim machine and assign it the familiar <i>windows/meterpreter/reverse_tcp</i> payload.</div><div><br /></div><div>With that being done, we can download the zipped file to Windows 7 and get ready to launch the exploit.</div><div><br /></div><div>When we launch Winamp with the <em>Rocketship</em> skin, it crashes and we can take advantage of a buffer overflow, which allows us to hack in.</div><div><br /></div><div><a href="http://3.bp.blogspot.com/-p28KjVFq45U/Wh9Mfa8QY_I/AAAAAAAAFFE/aEHN2ZClLKAImIbuirMUD79B6JJGoOxuwCK4BGAYYCw/s1600/bd5088dc72b5e66275a496c1c35a7bad-735642.png"><img alt="" border="0" height="302" id="BLOGGER_PHOTO_ID_6493993290383254514" src="https://3.bp.blogspot.com/-p28KjVFq45U/Wh9Mfa8QY_I/AAAAAAAAFFE/aEHN2ZClLKAImIbuirMUD79B6JJGoOxuwCK4BGAYYCw/s640/bd5088dc72b5e66275a496c1c35a7bad-735642.png" width="640" /></a></div><div>I'm unable to perform a privilege escalation, so I background the session and use a different exploit (<span style="color: yellow;"><b>exploit/windows/local/bypassuac</b></span>) to achieve it.</div><div><br /></div><div><a href="http://3.bp.blogspot.com/-JOwUHN8Vu8g/Wh9MgDvZz7I/AAAAAAAAFFM/yl-bH-DErWYDe0unqmBRL18QpbdKxX7owCK4BGAYYCw/s1600/84f4c114e9db06592fa8e34677fca9fe-739028.png"><img alt="" border="0" height="350" id="BLOGGER_PHOTO_ID_6493993301335199666" src="https://3.bp.blogspot.com/-JOwUHN8Vu8g/Wh9MgDvZz7I/AAAAAAAAFFM/yl-bH-DErWYDe0unqmBRL18QpbdKxX7owCK4BGAYYCw/s640/84f4c114e9db06592fa8e34677fca9fe-739028.png" width="640" /></a></div><div>I can successfully earn a privilege escalation.</div><div><br /></div><div><i>Wrap-up</i></div><div><br /></div><div>Once again, we were able to successfully hack an otherwise hardened system thanks to a vulnerable and outdated software installed on a specific client.</div><div><br /></div><div>This reinforces the concept that updates are not only recommended but paramount for the very survival of an organization.<br /><br /><b><a href="https://savvygeektips.blogspot.com/2017/12/tips-for-information-security.html" target="_blank">Episode 43</a></b><br /><br /><b><a href="https://savvygeektips.blogspot.com/2017/11/tips-for-information-security_29.html" target="_blank">Episode 41 </a></b></div><div><br /></div></div><div class="blogger-post-footer"><hr />
<a href="http://savvygeektips.blogspot.com>One Tip A Day Tech Blog</a></div><div class="feedflare">
<a href="http://feeds.feedburner.com/~ff/blogspot/HLRhI?a=QLmrYwD1c0A:KATYDQjMIj4:yIl2AUoC8zA"><img src="http://feeds.feedburner.com/~ff/blogspot/HLRhI?d=yIl2AUoC8zA" border="0"></img></a> <a href="http://feeds.feedburner.com/~ff/blogspot/HLRhI?a=QLmrYwD1c0A:KATYDQjMIj4:63t7Ie-LG7Y"><img src="http://feeds.feedburner.com/~ff/blogspot/HLRhI?d=63t7Ie-LG7Y" border="0"></img></a> <a href="http://feeds.feedburner.com/~ff/blogspot/HLRhI?a=QLmrYwD1c0A:KATYDQjMIj4:dnMXMwOfBR0"><img src="http://feeds.feedburner.com/~ff/blogspot/HLRhI?d=dnMXMwOfBR0" border="0"></img></a> <a href="http://feeds.feedburner.com/~ff/blogspot/HLRhI?a=QLmrYwD1c0A:KATYDQjMIj4:F7zBnMyn0Lo"><img src="http://feeds.feedburner.com/~ff/blogspot/HLRhI?i=QLmrYwD1c0A:KATYDQjMIj4:F7zBnMyn0Lo" border="0"></img></a> <a href="http://feeds.feedburner.com/~ff/blogspot/HLRhI?a=QLmrYwD1c0A:KATYDQjMIj4:7Q72WNTAKBA"><img src="http://feeds.feedburner.com/~ff/blogspot/HLRhI?d=7Q72WNTAKBA" border="0"></img></a> <a href="http://feeds.feedburner.com/~ff/blogspot/HLRhI?a=QLmrYwD1c0A:KATYDQjMIj4:V_sGLiPBpWU"><img src="http://feeds.feedburner.com/~ff/blogspot/HLRhI?i=QLmrYwD1c0A:KATYDQjMIj4:V_sGLiPBpWU" border="0"></img></a> <a href="http://feeds.feedburner.com/~ff/blogspot/HLRhI?a=QLmrYwD1c0A:KATYDQjMIj4:qj6IDK7rITs"><img src="http://feeds.feedburner.com/~ff/blogspot/HLRhI?d=qj6IDK7rITs" border="0"></img></a> <a href="http://feeds.feedburner.com/~ff/blogspot/HLRhI?a=QLmrYwD1c0A:KATYDQjMIj4:gIN9vFwOqvQ"><img src="http://feeds.feedburner.com/~ff/blogspot/HLRhI?i=QLmrYwD1c0A:KATYDQjMIj4:gIN9vFwOqvQ" border="0"></img></a> <a href="http://feeds.feedburner.com/~ff/blogspot/HLRhI?a=QLmrYwD1c0A:KATYDQjMIj4:TzevzKxY174"><img src="http://feeds.feedburner.com/~ff/blogspot/HLRhI?d=TzevzKxY174" border="0"></img></a>
</div><img src="http://feeds.feedburner.com/~r/blogspot/HLRhI/~4/QLmrYwD1c0A" height="1" width="1" alt=""/>http://feedproxy.google.com/~r/blogspot/HLRhI/~3/QLmrYwD1c0A/tips-for-information-security_30.htmlnoreply@blogger.com (Mattia Campagnano)0http://savvygeektips.blogspot.com/2017/11/tips-for-information-security_30.htmltag:blogger.com,1999:blog-2419284614709488194.post-2909065892192971388Wed, 29 Nov 2017 13:28:00 +00002017-11-30T10:28:35.855-05:00hackingpentestingtips&tricksTips for an Information Security Analyst/Pentester career - Ep. 41: Client-side attacks (pt. 2)<div class="ennote"><div><i>PDF exploits</i></div><div><i><br /></i></div><div>This time we're going to see a different type of client-side attacks, performed through PDF files.<br /><br />I'm gonna explain two different exploits. <br /><br /></div><iframe allowfullscreen="" frameborder="0" height="315" src="https://www.youtube.com/embed/JgbgsvQvvXY" width="560"></iframe> <br /><div><br /></div><iframe allowfullscreen="" frameborder="0" height="315" src="https://www.youtube.com/embed/ngKKGUSrFpo" width="560"></iframe> <br /><div><br /><i>a) </i><i>exploit/windows/fileformat/adobe_utilprintf</i></div><div><i><br /></i></div><div><i>&nbsp;</i>This module exploits a buffer overflow vulnerability discovered in older Adobe Reader versions, as we can read from<b> <span style="color: yellow;">show info</span></b> <i>(see below</i>)</div><div><i><br /></i></div><div><a href="http://2.bp.blogspot.com/-3wjYXeJBiT8/Wh4w1nNPngI/AAAAAAAAFD0/rOZsQPOlSkIcc5rVEFfwHusUDITBR1LcgCK4BGAYYCw/s1600/57a7c9484d9627dd7e4ba0eeb1248ad9-720478.png"><img alt="" border="0" height="176" id="BLOGGER_PHOTO_ID_6493681410330566146" src="https://2.bp.blogspot.com/-3wjYXeJBiT8/Wh4w1nNPngI/AAAAAAAAFD0/rOZsQPOlSkIcc5rVEFfwHusUDITBR1LcgCK4BGAYYCw/s640/57a7c9484d9627dd7e4ba0eeb1248ad9-720478.png" width="640" /></a></div><div>The options available for this attack are very straightforward and only include the filename, which I left as default.</div><div><br /></div><div><a href="http://4.bp.blogspot.com/-eIGKA69CsE4/Wh4w2dmCeaI/AAAAAAAAFD8/sM_rDUw5pDk0q-sqB3Ig-A-rO2T_gvj_gCK4BGAYYCw/s1600/5b90114c7c775a8d4eafcdceb332a5b6-723495.png"><img alt="" border="0" height="316" id="BLOGGER_PHOTO_ID_6493681424930077090" src="https://4.bp.blogspot.com/-eIGKA69CsE4/Wh4w2dmCeaI/AAAAAAAAFD8/sM_rDUw5pDk0q-sqB3Ig-A-rO2T_gvj_gCK4BGAYYCw/s640/5b90114c7c775a8d4eafcdceb332a5b6-723495.png" width="640" /></a></div><div><br /></div><div>We need to set up a payload for this exploit, which will be our familiar Windows reverse shell (<i>view embedded video for more details</i>).</div><div><br /></div><div>We only have to set up LHOST as our Kali Linux VM's IP address.</div><div><br /></div><div>Once we launch the exploit, our malicious PDF is created. We're going to copy it to the Web server directory, so we can access it from the victim machine.</div><div><br /></div><div>We also need to start the Apache server.</div><div><br /></div><div><a href="http://1.bp.blogspot.com/-_S_2YLJORGQ/Wh4w23uBtsI/AAAAAAAAFEE/zVdxxsjqgwoqUHRFz2wFGzQiEkRYRBp1wCK4BGAYYCw/s1600/c4d2524b55f9efb2c5f7352c84bdd6cb-725663.png"><img alt="" border="0" height="358" id="BLOGGER_PHOTO_ID_6493681431942903490" src="https://1.bp.blogspot.com/-_S_2YLJORGQ/Wh4w23uBtsI/AAAAAAAAFEE/zVdxxsjqgwoqUHRFz2wFGzQiEkRYRBp1wCK4BGAYYCw/s640/c4d2524b55f9efb2c5f7352c84bdd6cb-725663.png" width="640" /></a>&nbsp;</div><div><br /></div><div>Our next step will be to create a handler in order to receive the connection coming back from our victim machine.</div><div><br /></div><div>As we saw previously, Metasploit contains a special exploit, called <i>multi/handler,</i> for this purpose.</div><div><br /></div><div>It doesn't contain any options and we only have to attach a payload to it, which will be once again our reverse shell.</div><div><br /></div><div>I also use two advanced options we analyzed in the <a href="https://savvygeektips.blogspot.com/2017/11/tips-for-information-security_27.html" target="_blank">previous post</a>, <i>ExitOnSession</i> and <i>PrependMigrate</i>.</div><div><br /></div><div>When we access the file from the victim machine nothing seems to be going on but we have almost immediately a Meterpreter session open on Kali.</div><div><br /></div><div><a href="http://4.bp.blogspot.com/-3F7QF9-YD4M/Wh4w3RsqPCI/AAAAAAAAFEM/7nFnSInCG8kVGSe24ajRyEMOXBGc_TwegCK4BGAYYCw/s1600/94f9d310f69ebda9a3038031b5e56840-727756.png"><img alt="" border="0" height="338" id="BLOGGER_PHOTO_ID_6493681438916492322" src="https://4.bp.blogspot.com/-3F7QF9-YD4M/Wh4w3RsqPCI/AAAAAAAAFEM/7nFnSInCG8kVGSe24ajRyEMOXBGc_TwegCK4BGAYYCw/s640/94f9d310f69ebda9a3038031b5e56840-727756.png" width="640" /></a></div><div><br /></div><div>I can also easily obtain a privilege escalation with <b>getsystem.</b></div><div><b><br /></b></div><div><b><br /></b></div><div><i>b) <span style="font-style: italic;">exploit/windows/fileformat/adobe_pdf_embedded_exe</span></i></div><div><i><span style="font-style: italic;"><br /></span></i></div><div>This exploit embeds a Metasploit payload within a PDF file, as we can read from <b>show info.</b></div><div><b><br /></b></div><div><a href="http://2.bp.blogspot.com/-TWHzWQfuznI/Wh4w32qiCOI/AAAAAAAAFEU/E3UGmDXDDF0LQich5St1oURLcrPGH-6cwCK4BGAYYCw/s1600/9db32c8da15811ca0ea98d14cfd3b915-730028.png"><img alt="" border="0" height="278" id="BLOGGER_PHOTO_ID_6493681448839678178" src="https://2.bp.blogspot.com/-TWHzWQfuznI/Wh4w32qiCOI/AAAAAAAAFEU/E3UGmDXDDF0LQich5St1oURLcrPGH-6cwCK4BGAYYCw/s640/9db32c8da15811ca0ea98d14cfd3b915-730028.png" width="640" /></a></div><div><br /></div><div>Relevant options include FILENAME, which I chose to change to something a little less self-explanatory, and INFILENAME, the location of a file to use as a template.</div><div><br /></div><div>The steps to follow in order to exploit our target machine are the same illustrated for the previous exploit.</div><div><br /></div><div>Additionally, by dropping a Windows shell, I was able to get more information about the user created on the Windows XP machine and also to add a new user.</div><div><br /></div><div>We can also check the privileges for the user Georgia, which is the user we logged in as, and also about existing local groups.</div><div><br /></div><div>We notice user Georgia is an administrative account, even though we could successfully obtain a privilege escalation.</div><div><br /></div><div>In order to cover our tracks, I migrated from Adobe Reader to a different process, because if our PDF file gets closed or the program crashes (which is all but uncommon, especially in older versions), our session would die.</div><div><br /></div><div>Afterward, I made sure to kill the process, so nothing suspicious stands out.</div><div><br /></div><div><a href="http://3.bp.blogspot.com/-k6EfslY-OsY/Wh4w4exdyxI/AAAAAAAAFEc/qQoj-M0W1PQ4gtEgw1pn5X9COASibgkmwCK4BGAYYCw/s1600/e6baf0b122ec338744a81eced15d7943-731951.png"><img alt="" border="0" height="142" id="BLOGGER_PHOTO_ID_6493681459606178578" src="https://3.bp.blogspot.com/-k6EfslY-OsY/Wh4w4exdyxI/AAAAAAAAFEc/qQoj-M0W1PQ4gtEgw1pn5X9COASibgkmwCK4BGAYYCw/s640/e6baf0b122ec338744a81eced15d7943-731951.png" width="640" /></a></div><div><br /></div><div><i>Wrap-up</i></div><div><br /></div><div>PDF is a multiplatform file format, very useful and handy to create content such as presentations, reports, white papers etc.</div><div><br /></div><div>Sadly, though, its advanced functionalities and Flash and Java support capabilities can be exploited to launch several types of attacks, falling within the client-side category.</div><div><br /></div><div>This shows how important is to constantly update Adobe Reader in order to prevent these potential vulnerabilities from being successfully&nbsp;exploited with impactful outcomes.<br /><br /><a href="https://savvygeektips.blogspot.com/2017/11/tips-for-information-security_29.html" target="_blank"><b>Episode 42 </b></a><br /><br /><b><a href="https://savvygeektips.blogspot.com/2017/11/tips-for-information-security_27.html" target="_blank">Episode 40</a></b> </div></div><script> (function(i,s,o,g,r,a,m){i['GoogleAnalyticsObject']=r;i[r]=i[r]||function(){ (i[r].q=i[r].q||[]).push(arguments)},i[r].l=1*new Date();a=s.createElement(o), m=s.getElementsByTagName(o)[0];a.async=1;a.src=g;m.parentNode.insertBefore(a,m) })(window,document,'script','//www.google-analytics.com/analytics.js','ga'); ga('create', 'UA-45941375-1', 'savvygeektips.blogspot.com'); ga('send', 'pageview'); </script><div class="blogger-post-footer"><hr />
<a href="http://savvygeektips.blogspot.com>One Tip A Day Tech Blog</a></div><div class="feedflare">
<a href="http://feeds.feedburner.com/~ff/blogspot/HLRhI?a=PPe2TKPLcp4:qMuBISEC5Dw:yIl2AUoC8zA"><img src="http://feeds.feedburner.com/~ff/blogspot/HLRhI?d=yIl2AUoC8zA" border="0"></img></a> <a href="http://feeds.feedburner.com/~ff/blogspot/HLRhI?a=PPe2TKPLcp4:qMuBISEC5Dw:63t7Ie-LG7Y"><img src="http://feeds.feedburner.com/~ff/blogspot/HLRhI?d=63t7Ie-LG7Y" border="0"></img></a> <a href="http://feeds.feedburner.com/~ff/blogspot/HLRhI?a=PPe2TKPLcp4:qMuBISEC5Dw:dnMXMwOfBR0"><img src="http://feeds.feedburner.com/~ff/blogspot/HLRhI?d=dnMXMwOfBR0" border="0"></img></a> <a href="http://feeds.feedburner.com/~ff/blogspot/HLRhI?a=PPe2TKPLcp4:qMuBISEC5Dw:F7zBnMyn0Lo"><img src="http://feeds.feedburner.com/~ff/blogspot/HLRhI?i=PPe2TKPLcp4:qMuBISEC5Dw:F7zBnMyn0Lo" border="0"></img></a> <a href="http://feeds.feedburner.com/~ff/blogspot/HLRhI?a=PPe2TKPLcp4:qMuBISEC5Dw:7Q72WNTAKBA"><img src="http://feeds.feedburner.com/~ff/blogspot/HLRhI?d=7Q72WNTAKBA" border="0"></img></a> <a href="http://feeds.feedburner.com/~ff/blogspot/HLRhI?a=PPe2TKPLcp4:qMuBISEC5Dw:V_sGLiPBpWU"><img src="http://feeds.feedburner.com/~ff/blogspot/HLRhI?i=PPe2TKPLcp4:qMuBISEC5Dw:V_sGLiPBpWU" border="0"></img></a> <a href="http://feeds.feedburner.com/~ff/blogspot/HLRhI?a=PPe2TKPLcp4:qMuBISEC5Dw:qj6IDK7rITs"><img src="http://feeds.feedburner.com/~ff/blogspot/HLRhI?d=qj6IDK7rITs" border="0"></img></a> <a href="http://feeds.feedburner.com/~ff/blogspot/HLRhI?a=PPe2TKPLcp4:qMuBISEC5Dw:gIN9vFwOqvQ"><img src="http://feeds.feedburner.com/~ff/blogspot/HLRhI?i=PPe2TKPLcp4:qMuBISEC5Dw:gIN9vFwOqvQ" border="0"></img></a> <a href="http://feeds.feedburner.com/~ff/blogspot/HLRhI?a=PPe2TKPLcp4:qMuBISEC5Dw:TzevzKxY174"><img src="http://feeds.feedburner.com/~ff/blogspot/HLRhI?d=TzevzKxY174" border="0"></img></a>
</div><img src="http://feeds.feedburner.com/~r/blogspot/HLRhI/~4/PPe2TKPLcp4" height="1" width="1" alt=""/>http://feedproxy.google.com/~r/blogspot/HLRhI/~3/PPe2TKPLcp4/tips-for-information-security_29.htmlnoreply@blogger.com (Mattia Campagnano)0http://savvygeektips.blogspot.com/2017/11/tips-for-information-security_29.html